On Mon, Apr 23, 2012 at 08:09:17PM +0200, Stef Walter wrote:
In order to support the AD Domain\User style and the more usual kerberos user@realm style, sssd needs per domain re_expression and full_name_format options.
Attached is a rough patch implementing per domain qualified user names.
When discussing it on IRC we came up with the following plan: In order to prevent conflicts between the regular expressions for different domains, we parse with a domains regular expression and then check that the resulting domain matches that domain's name.
It's not clear that we should support 'null-domains' in these regular expressions and sss_parse_name_for_domains(). There's a TODO in the patch to sort this out. It may be that we choose to have callers of sss_parse_name_for_domains() which can accept unqualified user domains use the full input string when parsing into a qualified name fails.
In other words, sss_parse_name_for_domains() would not support returning a NULL *domain.
I'm not sure if I understand the comment in the code: + ...and change callers use orig directly as a user name, + * if caller can continue without a domain? + */
Why should the caller have a problem with the NULL domain?
The global re_expression and full_name_format options remain as defaults for the domains.
This patch is especially important for Samba integration. Samba only allows Domain\User format, with the exception that the slash can be replaced with another character.
Cheers,
Stef
I only have some nitpicks: - can you also rename CONFDB_MONITOR_NAME_REGEX and CONFDB_MONITOR_FULL_NAME_FORMAT (maybe just drop the MONITOR_ part). The name is a little confusing now that the option can be used outside the [sssd] section
- some places in the patch use the old numeric DEBUG levels: + DEBUG(4, ("name '%s' did not match any domain's expression\n", orig)); Can you change them to the new SSSDBG_ macros?
sss_process_init(): + /* TODO: Should we do this in confdb_get_domains? */ + ret = sss_names_init(rctx->cdb, rctx->cdb, dom->name, &dom->names);
I think that sss_process_init is OK.