Hi,
>> Well, I would like to see something like 'adquery' or
'adinfo' from
>> Centrify - i.e. tool that would:
>> 1. enumerate maps like group, passwd, automount... getent can not do
>> everything
> This only works with AD because there is an alternative RPC-based
> mechanism to ask for this information. In the general LDAP case, SSSD
> can't get any more information than 'getent' is permitted.
>
>> 2. Display information about a user (account active, disabled,
>> locked,...)
> This is again not always possible to determine. Most LDAP servers use
> server-side policy controls. We basically can't learn this information
> until we try to authenticate in many cases.
But would it make sense to have a tool that would provide this info
based on the local cache?
this proposal reminds me about an IRC conversation a year or so ago, I
suggested something like sss_search which administrators could use to
check for example from which domain a user on a system is coming from.
Of course it should be possible to dig out that information by grepping
logs or by using ldapsearch but with several domains configured (and in
the future trusts and sub-domains also in play) it's getting a bit
laborious to manually construct LDAP queries for each domain or plunge
into cache files to find out information about a user's origin or group
memberships instead of just doing something like "sss_search -u jdoe",
just as Ondrej says.
If a specific action Ondrej suggests wouldn't work with certain types of
domains the tool could just inform the administrator about the fact that
those domains are not included in the results. The administrator could
then decide next steps depending on the situation at hand, at least all
the information possible to retrieve on the client side for the domains
configured would be easily available.
Thanks,
--
Marko Myllynen