On Tue, 2012-03-13 at 16:21 +0100, Jan Zelený wrote:
> Fixes
https://fedorahosted.org/sssd/ticket/1031
>
> This patch creates a set of schema defaults that corresponds to Active
> Directory 2008r2. It can be set up simply by specifying
> ldap_schema = AD
>
> Operationally, it behaves like any other RFC2307bis server at this time.
> This patch does not remove the requirement for SFU/SUA support in Active
> Directory. More enhancements will follow to add support for AD-specific
> features.
I have couple questions/notes based on observation of values on my testing AD
instance:
Attribute gecos is apparently not filled by default, wouldn't it be better to
use cn?
This is actually the same behavior as on other LDAP servers. The
expectation is that the GECOS field should be used if it's not empty,
otherwise it should default to the user's full name. In the SSSD, we
first check for the 'gecos' attribute and then go to ldap_user_fullname
(which in the case of RFC 2307 would be "cn", but in AD is "name").
I didn't find attribute authorizedService in the AD attribute
specification, is
it correct?
Hmm, I was actually inconsistent here. I was leaving this in for the
rare case where an AD admin decided to extend schema to support this.
However, I made the opposite decision about ldap_user_authorized_host.
Probably it's acceptable to set this to NULL and rely on the admin to
change it if they end up extending the schema. Fixed in attached patch.