On 03/06/2017 02:49 PM, Jakub Hrozek wrote:

Hi,

I prepared a design page for a new feature about fetching and authenticating non-POSIX users: https://docs.pagure.org/SSSD.sssd/design_pages/non_posix_support.html

For your convenience, I'm also copying the .rst text below:

Support for non-POSIX users and groups

Related ticket(s):

https://pagure.io/SSSD/sssd/issue/3310

I find this document quite hard to understand, so I want to ensure I get it right:

1) You can't have one domain that return both posix and non-posix users. 2) PAM is allowed to login a non-posix users for given services. 3) If CACHE_REQ_APP is used, non-posix domains are searched first then posix domains. 4) If CACHE_REQ_POSIX is used, non-posix domains are skipped. 5) Non-posix domains require fully qualified name. 6) Posix users return only posix groups membership. 7) Non-posix users return both posix and non-posix membership.

Is this right? Did I miss something important?