>From de55ac7877f437068448cd8be132caeee0c4dc5a Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Tue, 25 Feb 2014 17:09:00 +0100 Subject: [PATCH] MAN: Clarify that changing ID mapping options might require purging the cache https://fedorahosted.org/sssd/ticket/2252 Currently SSSD chokes when IDs of users change, we don't support ID changes yet. Because some users were confused about the failures, this patch adds additional clarification. --- src/man/include/ldap_id_mapping.xml | 42 +++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/src/man/include/ldap_id_mapping.xml b/src/man/include/ldap_id_mapping.xml index 9dda399243bfd1725509c239d3358f2ef7501014..64d2c159d3b7ea0d946dbbdd6d8ab0e38bcd92d5 100644 --- a/src/man/include/ldap_id_mapping.xml +++ b/src/man/include/ldap_id_mapping.xml @@ -12,6 +12,48 @@ need to use manually-assigned values, ALL values must be manually-assigned. + + Please note that changing the ID mapping related configuration + options will cause user and group IDs to change. At the moment, + SSSD does not support changing IDs, so the SSSD database must + be removed. Because cached passwords are also stored in the + database, removing the database should only be performed while + the authentication servers are reachable, otherwise users might + get locked out. In order to cache the password, an authentication + must be performed. It is not sufficient to use + + sss_cache + 8 + + to remove the database, rather the process + consists of: + + + + Making sure the remote servers are reachable + + + + + Stopping the SSSD service + + + + + Removing the database + + + + + Starting the SSSD service + + + + Moreover, as the change of IDs might necessitate the adjustment + of other system properties such as file and directory ownership, + it's advisable to plan ahead and test the ID mapping configuration + thoroughly. + Mapping Algorithm -- 1.8.5.3