On Mon, 2012-04-23 at 20:09 +0200, Stef Walter wrote:
In order to support the AD Domain\User style and the more usual kerberos user@realm style, sssd needs per domain re_expression and full_name_format options.
Attached is a rough patch implementing per domain qualified user names.
When discussing it on IRC we came up with the following plan: In order to prevent conflicts between the regular expressions for different domains, we parse with a domains regular expression and then check that the resulting domain matches that domain's name.
It's not clear that we should support 'null-domains' in these regular expressions and sss_parse_name_for_domains(). There's a TODO in the patch to sort this out. It may be that we choose to have callers of sss_parse_name_for_domains() which can accept unqualified user domains use the full input string when parsing into a qualified name fails.
In other words, sss_parse_name_for_domains() would not support returning a NULL *domain.
The global re_expression and full_name_format options remain as defaults for the domains.
This patch is especially important for Samba integration. Samba only allows Domain\User format, with the exception that the slash can be replaced with another character.
Doesn't this end up running potentially the same regex over and over for each domain we have configured ? Wouldn't it make sense to detect how many different regexes we actually have (in the default case just one, the same for all domains) and just run them once ? Then we can sort out which of the domains using that regex is being addressed ... or is there something I am missing ?
Simo.