-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Recently there has been a lot of activity in Trac surrounding our support for invoking the legacy shadow-utils tools for managing legacy files-based domains. This has raised some questions over the utility of this feature.
First of all, there is an unreasonable amount of code implemented to handle the logic of determining into which domain we're attempting to add a user.
Secondly, the legacy local users (provider=files) is the only non-native backend that we're providing any special handling for. I'm not sure I see the utility in exerting so much effort supporting a configuration we hope to be phasing out.
So my proposal is to have the sss_* tools support only the native local domain in the SSSD (provider=local). By extension, I also propose that we mandate that a valid config must have exactly one provider=local domain (it can hold whatever name the administrator desires, but it should always be there). There should never be more than one, as that doesn't really make sense and would similarly introduce the complexity of adding users to the domains.
In summary, I feel that the sssd commandline user and group tools should manipulate only the SSSD native local users and groups, and all configurations of the SSSD need to ensure that a native local domain is present.
Please raise questions and comments in reply to this message.
- -- Stephen Gallagher RHCE 804006346421761
Looking to carve out IT costs? www.redhat.com/carveoutcosts/