On (20/01/14 18:33), Lukas Slebodnik wrote:
On (20/01/14 17:51), Sumit Bose wrote:
>On Wed, Jan 15, 2014 at 03:51:05PM +0100, Lukas Slebodnik wrote:
>> On (09/01/14 18:58), Sumit Bose wrote:
>> >Thank you for the clarifications, now all makes sense. If you want
>> >algorithmic mapping a domain SID is needed and since the plain LDAP
>> >provider does not know how to read them it has to given by the
>> >configuration file. Using ldap_idmap_default_domain_sid will give us the
>> >domain SID with the side-effect of always using slice 0. If the plain
>> >LDAP provider was used before with this configuration if might have used
>> >a different slice. The slice number is stored in the cache, but if the
>> >cache is removed the new allocated slice will be 0 and UIDs and GIDs
>> >change.
>> >
>> >I think it would be better to introduce a new config option to cover
>> >this case and check this case explicitly in sdap_idmap_init(), i.e. if
>> >idmapping is requested and neither ldap_idmap_default_domain_sid or the
>> >new option is available it would be a config error.
>> >
>> I don't think we need a new option; we have many options and it is a
>> regression.
>>
>> I decided to solve it in another way. Updated paches are attached.
>
>ok, works for me. I also tested with IPA and AD provider and didn't see
>an issue.
>
>ACK.
>
>You have not resend you original first patch. I think the change is
>still valid, although with you new approach it is not necessary to fix
>the given issue. Do you think it should be committed as well, or do you
>have concerns?
>
>bye,
>Sumit
>
I didn't send patch "Fall back to another method if sid is wrong"
because patch "LDAP: update id mapping detection for ldap provider"
solved this problem.
sss_idmap_domain_has_algorithmic_mapping can return error code
IDMAP_SID_INVALID only if dom_sid is NULL and I am not sure whether if it can
happen with AD provider.
If you think it is a good idea I can resend all 3 patches.
LS
I am sending all three patches together after IRC discussion with
Sumit.
LS