On Fri, Jan 29, 2016 at 04:47:04PM +0100, Bolke de Bruin wrote:
Hi,
In my setup (hello Hadoop!) I have the requirement to simplify user names from a trusted
domain (Ad -> FreeIPA -> sssd)
so they don’t contain “@“. Furthermore, “id username” needs to return information.
Thus bolke(a)ad.local <mailto:bolke@ad.local> needs to become bolke (or
bolke_ad_local). And “id -Gn bolke” needs
to return my group memberships.
If it is only about the '@' sign I would recommend to use the sssd
options full_name_format and re_expression.
full_name_format defines how the name return e.g by getent passwd or if
looks like. E.g with
full_name_format = %1$s_%2$s
the name is returned as 'bolke_ad.local' or with
full_name_format = %1$s_%3$s
the name is returned as 'bolke_ad' if 'ad' is the NetBIOS domain name of
your AD domain. Please note that you have to remove the SSSD cache with
rm after a change of full_name_format.
re_expression tells SSSD how to parse the input and with
re_expression =
(((?P<Name>[^@]+)_(?P<Domain>.+$))|((?P<Domain>[^\\]+)\\(?P<Name>.+$))|((?P<Name>[^@]+)@(?P<Domain>.+$))|(^(?P<Name>[^(a)\\]+)$))
SSSD should be able to understand 'bolke_ad.local' or 'bolke_ad' as
input as well.
You can find more details about the options in the sssd.conf man page.
HTH
bye,
Sumit
I tried setting
auth_to_local = {
RULE:[1:$1@$0](^.*@AD.LOCAL$)s/@AD.LOCAL//
DEFAULT
}
in /etc/krb5.conf, but that does not seem to work. How do I go about this?
Thanks!
Bolke
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org