Hello! A question, is it possible now, or would there be value in
developing the ability, for the daemon to use the siDHistory attribute when
id-mapping is used for users and groups that are migrated to new domains?
If I assume correctly, normally there would not be a need for this because
in direct integration mode id-mapping is constrained by the domain, so the
object SID is the object SID. However, if you are migrating users to a new
domain(s) (as the result of organisational changes or upgrades for example)
it would be very useful if a specific value in the sIDHistory attribute
could be referenced for id-mapping so POSIX file systems or other data
relationships tied to UID/GID enumerations if they exist were not
negatively impacted.
And again, if I understand correctly indirect integration modes do not
solve this potential issue if the target users reside in domains trusted by
the IPA domain.
Suggestions or feedback if I misunderstand, and if I do understand
correctly is there a possibility of developing a solution for this use case?
Many thanks as always,
-- lawrence