id mapping, rfc2307 and real customer environments

Alexander Bokovoy ab at samba.org
Wed May 18 10:59:50 UTC 2016 

On Wed, 18 May 2016, Volker Lendecke wrote:
> On Wed, May 18, 2016 at 08:51:05AM +0300, Alexander Bokovoy wrote:
> > > Recently I've taken a closer look at sssd, but I did not find out yet how
> > > to really properly integrate those two in more complex environments. You
> > > should open a call with RedHat for deeper questions about this I guess.
> > SSSD allows to have multiple 'domains' in its configuration, each domain
> > representing one set of related resources. It is possible to make
> > separate configurations for rfc2307 and rid-based ranges associated with
> > different domains. As long as there will be no overlap between them in
> > terms of ID ranges, it should just work.
> 
> Winbind also has the ability to have different configurations per domain.
> 
> On top, current master winbind has the ability to use overlapping
> ranges. So if you have more than one domain in a trusted environment and
> each domain has SFU mappings, there is no need anymore to separate mapping
> ranges. Of course this is well-defined only as long as the mappings do
> not collide, but in typical environments I would expect the admin to
> have taken care of it anyway.
> 
> The question here at hand is though: Can sssd be configured such that it
> looks at custom attributes for shared users pointing at UNIX.EXAMPLE.COM
> in a user-defined way and at the same time do windows-only mappings in
> its own way? For winbind I'd use some script using the idmap script
> backend for the non-UNIX.EXAMPLE.COM domain configurations.
I don't think it is possible for single domain. However, a 'domain' is
just a config in sssd.conf, so there could be the same remote servers
exposed as separate 'domains'.

[domain/foo]
id_provider = ad
ad_server = dc.unix.example.com

[domain/bar]
id_provider = ldap
ldap_uri = ldap://dc.unix.example.com

and so on.

However, the problem here is that you cannot really set SSSD up in such
way that a single user entry would be retrieved from two different
places. It would have helped to see actual user entries from both LDAP
servers to understand how exactly these are stored and referred to each
other.

-- 
/ Alexander Bokovoy

More information about the samba-technical mailing list