Fixes https://fedorahosted.org/sssd/ticket/1031
This patch creates a set of schema defaults that corresponds to Active Directory 2008r2. It can be set up simply by specifying ldap_schema = AD
Operationally, it behaves like any other RFC2307bis server at this time. This patch does not remove the requirement for SFU/SUA support in Active Directory. More enhancements will follow to add support for AD-specific features.
Fixes https://fedorahosted.org/sssd/ticket/1031
This patch creates a set of schema defaults that corresponds to Active Directory 2008r2. It can be set up simply by specifying ldap_schema = AD
Operationally, it behaves like any other RFC2307bis server at this time. This patch does not remove the requirement for SFU/SUA support in Active Directory. More enhancements will follow to add support for AD-specific features.
I have couple questions/notes based on observation of values on my testing AD instance:
Attribute gecos is apparently not filled by default, wouldn't it be better to use cn?
I didn't find attribute authorizedService in the AD attribute specification, is it correct?
Thanks Jan
On Tue, 2012-03-13 at 16:21 +0100, Jan Zelený wrote:
Fixes https://fedorahosted.org/sssd/ticket/1031
This patch creates a set of schema defaults that corresponds to Active Directory 2008r2. It can be set up simply by specifying ldap_schema = AD
Operationally, it behaves like any other RFC2307bis server at this time. This patch does not remove the requirement for SFU/SUA support in Active Directory. More enhancements will follow to add support for AD-specific features.
I have couple questions/notes based on observation of values on my testing AD instance:
Attribute gecos is apparently not filled by default, wouldn't it be better to use cn?
This is actually the same behavior as on other LDAP servers. The expectation is that the GECOS field should be used if it's not empty, otherwise it should default to the user's full name. In the SSSD, we first check for the 'gecos' attribute and then go to ldap_user_fullname (which in the case of RFC 2307 would be "cn", but in AD is "name").
I didn't find attribute authorizedService in the AD attribute specification, is it correct?
Hmm, I was actually inconsistent here. I was leaving this in for the rare case where an AD admin decided to extend schema to support this. However, I made the opposite decision about ldap_user_authorized_host.
Probably it's acceptable to set this to NULL and rely on the admin to change it if they end up extending the schema. Fixed in attached patch.
On Tue, 2012-03-13 at 16:21 +0100, Jan Zelený wrote:
Fixes https://fedorahosted.org/sssd/ticket/1031
This patch creates a set of schema defaults that corresponds to Active Directory 2008r2. It can be set up simply by specifying ldap_schema = AD
Operationally, it behaves like any other RFC2307bis server at this time. This patch does not remove the requirement for SFU/SUA support in Active Directory. More enhancements will follow to add support for AD-specific features.
I have couple questions/notes based on observation of values on my testing AD instance:
Attribute gecos is apparently not filled by default, wouldn't it be better to use cn?
This is actually the same behavior as on other LDAP servers. The expectation is that the GECOS field should be used if it's not empty, otherwise it should default to the user's full name. In the SSSD, we first check for the 'gecos' attribute and then go to ldap_user_fullname (which in the case of RFC 2307 would be "cn", but in AD is "name").
I didn't find attribute authorizedService in the AD attribute specification, is it correct?
Hmm, I was actually inconsistent here. I was leaving this in for the rare case where an AD admin decided to extend schema to support this. However, I made the opposite decision about ldap_user_authorized_host.
Probably it's acceptable to set this to NULL and rely on the admin to change it if they end up extending the schema. Fixed in attached patch.
Ack
Jan
On Wed, 2012-03-14 at 10:42 +0100, Jan Zelený wrote:
On Tue, 2012-03-13 at 16:21 +0100, Jan Zelený wrote:
Fixes https://fedorahosted.org/sssd/ticket/1031
This patch creates a set of schema defaults that corresponds to Active Directory 2008r2. It can be set up simply by specifying ldap_schema = AD
Operationally, it behaves like any other RFC2307bis server at this time. This patch does not remove the requirement for SFU/SUA support in Active Directory. More enhancements will follow to add support for AD-specific features.
I have couple questions/notes based on observation of values on my testing AD instance:
Attribute gecos is apparently not filled by default, wouldn't it be better to use cn?
This is actually the same behavior as on other LDAP servers. The expectation is that the GECOS field should be used if it's not empty, otherwise it should default to the user's full name. In the SSSD, we first check for the 'gecos' attribute and then go to ldap_user_fullname (which in the case of RFC 2307 would be "cn", but in AD is "name").
I didn't find attribute authorizedService in the AD attribute specification, is it correct?
Hmm, I was actually inconsistent here. I was leaving this in for the rare case where an AD admin decided to extend schema to support this. However, I made the opposite decision about ldap_user_authorized_host.
Probably it's acceptable to set this to NULL and rely on the admin to change it if they end up extending the schema. Fixed in attached patch.
Ack
Pushed to master.
sssd-devel@lists.fedorahosted.org
-
Jan Zelený -
Stephen Gallagher