Re: [SSSD] [PATCH] LDAP: Add AD 2008r2 schema

> On Tue, 2012-03-13 at 16:21 +0100, Jan Zelený wrote: > > > Fixes https://fedorahosted.org/sssd/ticket/1031 > > > > > > This patch creates a set of schema defaults that corresponds to Active > > > Directory 2008r2. It can be set up simply by specifying > > > ldap_schema = AD > > > > > > Operationally, it behaves like any other RFC2307bis server at this > > > time. This patch does not remove the requirement for SFU/SUA support > > > in Active Directory. More enhancements will follow to add support for > > > AD-specific features. > > > > I have couple questions/notes based on observation of values on my > > testing AD instance: > > > > Attribute gecos is apparently not filled by default, wouldn't it be > > better to use cn? > > This is actually the same behavior as on other LDAP servers. The > expectation is that the GECOS field should be used if it's not empty, > otherwise it should default to the user's full name. In the SSSD, we > first check for the 'gecos' attribute and then go to ldap_user_fullname > (which in the case of RFC 2307 would be "cn", but in AD is "name"). > > > I didn't find attribute authorizedService in the AD attribute > > specification, is it correct? > > Hmm, I was actually inconsistent here. I was leaving this in for the > rare case where an AD admin decided to extend schema to support this. > However, I made the opposite decision about ldap_user_authorized_host. > > Probably it's acceptable to set this to NULL and rely on the admin to > change it if they end up extending the schema. Fixed in attached patch. Ack