As a follow-up to the discussion below, I have written a utility that
synthesizes passwd(5) or group(5) entries from LDIF data, mimicking
the entries that sssd produces when sssd is configured to auto-map
uid/gid values from the Windows objectSid. It’s available here:
https://github.com/qralston/genent
It works for us in our environment; hopefully others will find it
useful as well.
This is the initial release, so it may be buggy. Feedback, pull
requests, issues, et. al. are all welcome; please consult the TODO.md
file.
On Fri, Oct 25, 2019 at 8:11 PM James Ralston <ralston(a)pobox.com> wrote:
> On Wed, Oct 16, 2019 at 6:17 PM Jeff Thornsen <jthornsen(a)gmail.com> wrote:
>
> > The reason I ask is because I use a bunch of storage appliances
> > that offer Secure-NFS (NETAPP, EMC UNITY, etc.), but they only
> > support NIS, IDMU, RFC2307, and RFC2307bis style Identity Mapping,
> > all of which require manual assignment of UID/GID numbers to
> > objects in LDAP, which is untenable for large environments.
> > Microsoft even removed Unix Attribute editor from their LDAP GUI
> > for the RFC2307 attributes in Windows Server 2016 to push people
> > away from using rfc2307.
>
> [We're] working on a utility that will read an LDIF dump, and at the
> cost of a single getgrnam('domain users') call (to determine sssd's
> offset), will output either a passwd(5) or group(5) file in the same
> format that sssd would generate, at O(1) cost. Then we will serve
> up these synthesized passwd/group files for our storage appliance's
> consumption. It's Rube-Goldberg-esque, but it's the best we can do
> until our storage appliance vendor finally implements uid/gid
> auto-mapping from the objectSID.