URL:
https://github.com/SSSD/sssd/pull/21
Title: #21: IFP: expose user and group unique IDs through DBus
jhrozek commented:
"""
On Mon, Sep 19, 2016 at 02:49:21AM -0700, tequeter wrote:
> > I considered using the gid provided by SSSD for that
purpose (but it is not
> > guaranteed to be consistent on all computers, from sssd-ldap(5)/ID MAPPING),
>
> Could you quote please?
From sssd-ldap(5):
> NOTE: It is possible to encounter collisions in the hash and subsequent modulus. In
these situations, we will select the next available slice, but it may not be possible to
reproduce the same exact set of slices on other machines (since the order that they are
encountered will determine their slice).
The customer will be performing authorization at application level by matching the group
identifiers to identifiers "well known" to the application. Thus they must have
a value guaranteed to be identical everywhere.
In that regard GUIDs seem rock-solid, while hashed values sound more leaving a ticking
bomb behind me (new domains, mergers etc.)
As for ```user_attributes```: it's not available for groups, only for users. It would
have fit the bill perfectly otherwise.
I wonder if it was more systematic to implement "group_attributes".
And another question -- why did you choose GUIDs and not SIDs?
"""
See the full comment at
https://github.com/SSSD/sssd/pull/21#issuecomment-247958333