On Tue, Jan 21, 2014 at 12:05:19PM +0100, Lukas Slebodnik wrote:
On (20/01/14 18:33), Lukas Slebodnik wrote:
>On (20/01/14 17:51), Sumit Bose wrote:
>>On Wed, Jan 15, 2014 at 03:51:05PM +0100, Lukas Slebodnik wrote:
>>> On (09/01/14 18:58), Sumit Bose wrote:
>>> >Thank you for the clarifications, now all makes sense. If you want
>>> >algorithmic mapping a domain SID is needed and since the plain LDAP
>>> >provider does not know how to read them it has to given by the
>>> >configuration file. Using ldap_idmap_default_domain_sid will give us
the
>>> >domain SID with the side-effect of always using slice 0. If the plain
>>> >LDAP provider was used before with this configuration if might have
used
>>> >a different slice. The slice number is stored in the cache, but if the
>>> >cache is removed the new allocated slice will be 0 and UIDs and GIDs
>>> >change.
>>> >
>>> >I think it would be better to introduce a new config option to cover
>>> >this case and check this case explicitly in sdap_idmap_init(), i.e. if
>>> >idmapping is requested and neither ldap_idmap_default_domain_sid or the
>>> >new option is available it would be a config error.
>>> >
>>> I don't think we need a new option; we have many options and it is a
>>> regression.
>>>
>>> I decided to solve it in another way. Updated paches are attached.
>>
>>ok, works for me. I also tested with IPA and AD provider and didn't see
>>an issue.
>>
>>ACK.
>>
>>You have not resend you original first patch. I think the change is
>>still valid, although with you new approach it is not necessary to fix
>>the given issue. Do you think it should be committed as well, or do you
>>have concerns?
>>
>>bye,
>>Sumit
>>
>
>I didn't send patch "Fall back to another method if sid is wrong"
>because patch "LDAP: update id mapping detection for ldap provider"
>solved this problem.
>
>sss_idmap_domain_has_algorithmic_mapping can return error code
>IDMAP_SID_INVALID only if dom_sid is NULL and I am not sure whether if it can
>happen with AD provider.
>
>If you think it is a good idea I can resend all 3 patches.
>
>LS
I am sending all three patches together after IRC discussion with
Sumit.
LS
I tested this patchset with both id_provider=ldap with ID mapping and AD
provider and both work fine.
ACK