Thanks !
To summary, I know now that I will definitlly need
to maintain a DIT branch in my ldap server as an
additional source of reference for sysaccounts if
I want to be able to include them in centralized
posixgroups ...
... I have tried (-:
Thanks for your time !
---
Olivier
2012/3/14 Simo Sorce <simo(a)redhat.com>:
On Wed, 2012-03-14 at 21:17 +0100, Olivier wrote:
> Ok, I see the logic now ( although I'm not completely
> convinced from a practical point of view to be honnest :
> a user name could be defined somewhere else, in a
> referal ldap for example. In that case, should it be an
> overall group consistency problem if a memberuid was
> uknown because a referal server is not accessible ? ).
>
memberuid cannot be resolved through a referral as it cannot contain a
DN :-)
however if you use the "member" attribute and rfc2307bis you could end
up chasing a referral that is temporarily broken. In that case you'd
have a resolution issue, not an "unknown" member.
I am not sure how sssd would handle a referral problem in this case,
hopefully it would recognize the problem and just use a previously
cached value. If it is the first lookup it would have no choice but to
pretend the member did not exist until the next lookup.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
_______________________________________________
sssd-devel mailing list
sssd-devel(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel