ehlo,
The MSFT docs [1,2] for LDAP attributes says: samAccountName is mandotory for 'user' and 'group' objectclasses via the 'Security-Principal' aux-class
name is part of the 'top' class and *not* mandatory for 'user' or 'group'.
Attached patch should fix #2593.
LS
[1] https://msdn.microsoft.com/en-us/library/ms679635%28v=vs.85%29.aspx [2] https://msdn.microsoft.com/en-us/library/ms678697%28v=vs.85%29.aspx
On Tue, Apr 07, 2015 at 09:53:22AM +0200, Lukas Slebodnik wrote:
ehlo,
The MSFT docs [1,2] for LDAP attributes says: samAccountName is mandotory for 'user' and 'group' objectclasses via the 'Security-Principal' aux-class
name is part of the 'top' class and *not* mandatory for 'user' or 'group'.
Attached patch should fix #2593.
LS
[1] https://msdn.microsoft.com/en-us/library/ms679635%28v=vs.85%29.aspx [2] https://msdn.microsoft.com/en-us/library/ms678697%28v=vs.85%29.aspx
From 2ea9f46ac7793c3a213237b2e60413acd0c5fe18 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik lslebodn@redhat.com Date: Tue, 7 Apr 2015 09:47:17 +0200 Subject: [PATCH] ad_opts: Use different default attribute for group name
The MSFT docs [1,2] for LDAP attributes says: samAccountName is mandotory for 'user' and 'group' objectclasses via the 'Security-Principal' aux-class
name is part of the 'top' class and *not* mandatory for 'user' or 'group'.
[1] https://msdn.microsoft.com/en-us/library/ms679635%28v=vs.85%29.aspx [2] https://msdn.microsoft.com/en-us/library/ms678697%28v=vs.85%29.aspx
Resolves: https://fedorahosted.org/sssd/ticket/2593
src/providers/ad/ad_opts.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h index f4c1c523bdc57a824105dfd781eb90a88e068908..0b7255a828e95785d31437968a37bc20fbf62aef 100644 --- a/src/providers/ad/ad_opts.h +++ b/src/providers/ad/ad_opts.h @@ -220,7 +220,7 @@ struct sdap_attr_map ad_2008r2_user_map[] = { struct sdap_attr_map ad_2008r2_group_map[] = { { "ldap_group_object_class", "group", SYSDB_GROUP_CLASS, NULL }, { "ldap_group_object_class_alt", NULL, SYSDB_GROUP_CLASS, NULL },
- { "ldap_group_name", "name", SYSDB_NAME, NULL },
- { "ldap_group_name", "sAMAccountName", SYSDB_NAME, NULL }, { "ldap_group_pwd", NULL, SYSDB_PWD, NULL }, { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL }, { "ldap_group_member", "member", SYSDB_MEMBER, NULL },
-- 2.3.4
Thanks for the patch. Given the ticket was assigned to Sumit and IIRC he already did some research, I've assigned him as the reviewer in patchwork.
On (07/04/15 14:07), Jakub Hrozek wrote:
On Tue, Apr 07, 2015 at 09:53:22AM +0200, Lukas Slebodnik wrote:
ehlo,
The MSFT docs [1,2] for LDAP attributes says: samAccountName is mandotory for 'user' and 'group' objectclasses via the 'Security-Principal' aux-class
name is part of the 'top' class and *not* mandatory for 'user' or 'group'.
Attached patch should fix #2593.
LS
[1] https://msdn.microsoft.com/en-us/library/ms679635%28v=vs.85%29.aspx [2] https://msdn.microsoft.com/en-us/library/ms678697%28v=vs.85%29.aspx
From 2ea9f46ac7793c3a213237b2e60413acd0c5fe18 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik lslebodn@redhat.com Date: Tue, 7 Apr 2015 09:47:17 +0200 Subject: [PATCH] ad_opts: Use different default attribute for group name
The MSFT docs [1,2] for LDAP attributes says: samAccountName is mandotory for 'user' and 'group' objectclasses via the 'Security-Principal' aux-class
name is part of the 'top' class and *not* mandatory for 'user' or 'group'.
[1] https://msdn.microsoft.com/en-us/library/ms679635%28v=vs.85%29.aspx [2] https://msdn.microsoft.com/en-us/library/ms678697%28v=vs.85%29.aspx
Resolves: https://fedorahosted.org/sssd/ticket/2593
src/providers/ad/ad_opts.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h index f4c1c523bdc57a824105dfd781eb90a88e068908..0b7255a828e95785d31437968a37bc20fbf62aef 100644 --- a/src/providers/ad/ad_opts.h +++ b/src/providers/ad/ad_opts.h @@ -220,7 +220,7 @@ struct sdap_attr_map ad_2008r2_user_map[] = { struct sdap_attr_map ad_2008r2_group_map[] = { { "ldap_group_object_class", "group", SYSDB_GROUP_CLASS, NULL }, { "ldap_group_object_class_alt", NULL, SYSDB_GROUP_CLASS, NULL },
- { "ldap_group_name", "name", SYSDB_NAME, NULL },
- { "ldap_group_name", "sAMAccountName", SYSDB_NAME, NULL }, { "ldap_group_pwd", NULL, SYSDB_PWD, NULL }, { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL }, { "ldap_group_member", "member", SYSDB_MEMBER, NULL },
-- 2.3.4
Thanks for the patch. Given the ticket was assigned to Sumit and IIRC he already did some research, I've assigned him as the reviewer in patchwork.
Yesm he shoudl fix the issue, but I would like to do such change in fedora 22 in earlier versions and do not wait for sssd-1.13
LS
On Tue, Apr 07, 2015 at 02:24:38PM +0200, Lukas Slebodnik wrote:
On (07/04/15 14:07), Jakub Hrozek wrote:
On Tue, Apr 07, 2015 at 09:53:22AM +0200, Lukas Slebodnik wrote:
ehlo,
The MSFT docs [1,2] for LDAP attributes says: samAccountName is mandotory for 'user' and 'group' objectclasses via the 'Security-Principal' aux-class
name is part of the 'top' class and *not* mandatory for 'user' or 'group'.
Attached patch should fix #2593.
LS
[1] https://msdn.microsoft.com/en-us/library/ms679635%28v=vs.85%29.aspx [2] https://msdn.microsoft.com/en-us/library/ms678697%28v=vs.85%29.aspx
From 2ea9f46ac7793c3a213237b2e60413acd0c5fe18 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik lslebodn@redhat.com Date: Tue, 7 Apr 2015 09:47:17 +0200 Subject: [PATCH] ad_opts: Use different default attribute for group name
The MSFT docs [1,2] for LDAP attributes says: samAccountName is mandotory for 'user' and 'group' objectclasses via the 'Security-Principal' aux-class
name is part of the 'top' class and *not* mandatory for 'user' or 'group'.
[1] https://msdn.microsoft.com/en-us/library/ms679635%28v=vs.85%29.aspx [2] https://msdn.microsoft.com/en-us/library/ms678697%28v=vs.85%29.aspx
Resolves: https://fedorahosted.org/sssd/ticket/2593
src/providers/ad/ad_opts.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h index f4c1c523bdc57a824105dfd781eb90a88e068908..0b7255a828e95785d31437968a37bc20fbf62aef 100644 --- a/src/providers/ad/ad_opts.h +++ b/src/providers/ad/ad_opts.h @@ -220,7 +220,7 @@ struct sdap_attr_map ad_2008r2_user_map[] = { struct sdap_attr_map ad_2008r2_group_map[] = { { "ldap_group_object_class", "group", SYSDB_GROUP_CLASS, NULL }, { "ldap_group_object_class_alt", NULL, SYSDB_GROUP_CLASS, NULL },
- { "ldap_group_name", "name", SYSDB_NAME, NULL },
- { "ldap_group_name", "sAMAccountName", SYSDB_NAME, NULL }, { "ldap_group_pwd", NULL, SYSDB_PWD, NULL }, { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL }, { "ldap_group_member", "member", SYSDB_MEMBER, NULL },
-- 2.3.4
Thanks for the patch. Given the ticket was assigned to Sumit and IIRC he already did some research, I've assigned him as the reviewer in patchwork.
I did some testing with the AD and IPA provider and didn't found an issues. Additionally to the arguments above this patch makes the group name consistent with the user name where sAMAccountName is used as well. Although I guess it is not recommended it is possible in AD to have different names for a user and a group. The one that corresponds to sAMAccountName is called 'pre-Windows 2000' name in the AD GUI and can be set independently from the object name. Since afaik most other products use sAMAccountName name to derived the POSIX name as well I think this is the right change. ACK.
CI: http://sssd-ci.duckdns.org/logs/job/13/22/summary.html
Yesm he shoudl fix the issue, but I would like to do such change in fedora 22 in earlier versions and do not wait for sssd-1.13
I agree, since F22 is a new version of Fedora this change of defaults can be documented in the Fedora release note. For upstream it should be only included in 1.13/master. Since the patch is easy to backport other distributions are free to pick it and add it on their own schedule.
bye, Sumit
LS _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
On Fri, Apr 17, 2015 at 12:14:00PM +0200, Sumit Bose wrote:
On Tue, Apr 07, 2015 at 02:24:38PM +0200, Lukas Slebodnik wrote:
On (07/04/15 14:07), Jakub Hrozek wrote:
On Tue, Apr 07, 2015 at 09:53:22AM +0200, Lukas Slebodnik wrote:
ehlo,
The MSFT docs [1,2] for LDAP attributes says: samAccountName is mandotory for 'user' and 'group' objectclasses via the 'Security-Principal' aux-class
name is part of the 'top' class and *not* mandatory for 'user' or 'group'.
Attached patch should fix #2593.
LS
[1] https://msdn.microsoft.com/en-us/library/ms679635%28v=vs.85%29.aspx [2] https://msdn.microsoft.com/en-us/library/ms678697%28v=vs.85%29.aspx
From 2ea9f46ac7793c3a213237b2e60413acd0c5fe18 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik lslebodn@redhat.com Date: Tue, 7 Apr 2015 09:47:17 +0200 Subject: [PATCH] ad_opts: Use different default attribute for group name
The MSFT docs [1,2] for LDAP attributes says: samAccountName is mandotory for 'user' and 'group' objectclasses via the 'Security-Principal' aux-class
name is part of the 'top' class and *not* mandatory for 'user' or 'group'.
[1] https://msdn.microsoft.com/en-us/library/ms679635%28v=vs.85%29.aspx [2] https://msdn.microsoft.com/en-us/library/ms678697%28v=vs.85%29.aspx
Resolves: https://fedorahosted.org/sssd/ticket/2593
src/providers/ad/ad_opts.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h index f4c1c523bdc57a824105dfd781eb90a88e068908..0b7255a828e95785d31437968a37bc20fbf62aef 100644 --- a/src/providers/ad/ad_opts.h +++ b/src/providers/ad/ad_opts.h @@ -220,7 +220,7 @@ struct sdap_attr_map ad_2008r2_user_map[] = { struct sdap_attr_map ad_2008r2_group_map[] = { { "ldap_group_object_class", "group", SYSDB_GROUP_CLASS, NULL }, { "ldap_group_object_class_alt", NULL, SYSDB_GROUP_CLASS, NULL },
- { "ldap_group_name", "name", SYSDB_NAME, NULL },
- { "ldap_group_name", "sAMAccountName", SYSDB_NAME, NULL }, { "ldap_group_pwd", NULL, SYSDB_PWD, NULL }, { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL }, { "ldap_group_member", "member", SYSDB_MEMBER, NULL },
-- 2.3.4
Thanks for the patch. Given the ticket was assigned to Sumit and IIRC he already did some research, I've assigned him as the reviewer in patchwork.
I did some testing with the AD and IPA provider and didn't found an issues. Additionally to the arguments above this patch makes the group name consistent with the user name where sAMAccountName is used as well. Although I guess it is not recommended it is possible in AD to have different names for a user and a group. The one that corresponds to sAMAccountName is called 'pre-Windows 2000' name in the AD GUI and can be set independently from the object name. Since afaik most other products use sAMAccountName name to derived the POSIX name as well I think this is the right change. ACK.
CI: http://sssd-ci.duckdns.org/logs/job/13/22/summary.html
Yesm he shoudl fix the issue, but I would like to do such change in fedora 22 in earlier versions and do not wait for sssd-1.13
I agree, since F22 is a new version of Fedora this change of defaults can be documented in the Fedora release note. For upstream it should be only included in 1.13/master. Since the patch is easy to backport other distributions are free to pick it and add it on their own schedule.
bye, Sumit
* master: adb148603344a42d6edffdda0786a10af715dacb
sssd-devel@lists.fedorahosted.org
-
Jakub Hrozek -
Lukas Slebodnik -
Sumit Bose