URL: https://github.com/SSSD/sssd/pull/21 Title: #21: IFP: expose user and group unique IDs through DBus
jhrozek commented: """ On Mon, Sep 19, 2016 at 02:49:21AM -0700, tequeter wrote:
I considered using the gid provided by SSSD for that purpose (but it is not guaranteed to be consistent on all computers, from sssd-ldap(5)/ID MAPPING),
Could you quote please?
From sssd-ldap(5):
NOTE: It is possible to encounter collisions in the hash and subsequent modulus. In these situations, we will select the next available slice, but it may not be possible to reproduce the same exact set of slices on other machines (since the order that they are encountered will determine their slice).
The customer will be performing authorization at application level by matching the group identifiers to identifiers "well known" to the application. Thus they must have a value guaranteed to be identical everywhere.
In that regard GUIDs seem rock-solid, while hashed values sound more leaving a ticking bomb behind me (new domains, mergers etc.)
As for ```user_attributes```: it's not available for groups, only for users. It would have fit the bill perfectly otherwise.
I wonder if it was more systematic to implement "group_attributes".
And another question -- why did you choose GUIDs and not SIDs?
"""
See the full comment at https://github.com/SSSD/sssd/pull/21#issuecomment-247958333