On 03/07/2017 01:33 PM, Jakub Hrozek wrote:
On Tue, Mar 07, 2017 at 01:18:36PM +0100, Pavel Březina wrote:
On 03/07/2017 01:16 PM, Pavel Březina wrote:
On 03/06/2017 02:49 PM, Jakub Hrozek wrote:
Hi,
I prepared a design page for a new feature about fetching and authenticating non-POSIX users: https://docs.pagure.org/SSSD.sssd/design_pages/non_posix_support.html
For your convenience, I'm also copying the .rst text below:
Support for non-POSIX users and groups
Related ticket(s):
https://pagure.io/SSSD/sssd/issue/3310I find this document quite hard to understand, so I want to ensure I get it right:
- You can't have one domain that return both posix and non-posix users.
- PAM is allowed to login a non-posix users for given services.
- If CACHE_REQ_APP is used, non-posix domains are searched first then
posix domains. 4) If CACHE_REQ_POSIX is used, non-posix domains are skipped. 5) Non-posix domains require fully qualified name. 6) Posix users return only posix groups membership. 7) Non-posix users return both posix and non-posix membership.
And 8) You can have two users, one posix, one non-posix with the same name.
In theory yes, but I don't think this would be too common. In general you could have two entries, one with objectclass user, the other with objectclass posixUser where each domain would use a different attribute for the username. But even so, I think the current scheme would protect us against these strange setups.
If find this rather complicated at least from what we talked about on irc. If I recall correctly, we leaned in a way that we always download the user whether it is posix or not and then let the caller decide if it should be returned by sssd. I.e.
if !non_posix_users_enabled(domain) then download only posix users else download user even if it is non posix
In NSS (and other posix responders) we would return ENOENT for non-posix users. In IFP we would not care (or care if we change API to select).
This wouldn't require the domain separation. What were the reasons to not use this approach?