[SSSD-users] synthesizing SID-mapped passwd/group entries from LDIF data

As a follow-up to the discussion below, I have written a utility that synthesizes passwd(5) or group(5) entries from LDIF data, mimicking the entries that sssd produces when sssd is configured to auto-map uid/gid values from the Windows objectSid. It’s available here: https://github.com/qralston/genent It works for us in our environment; hopefully others will find it useful as well. This is the initial release, so it may be buggy. Feedback, pull requests, issues, et. al. are all welcome; please consult the TODO.md file. On Fri, Oct 25, 2019 at 8:11 PM James Ralston <ralston(a)pobox.com&gt; wrote: > On Wed, Oct 16, 2019 at 6:17 PM Jeff Thornsen <jthornsen(a)gmail.com&gt; wrote: > > > The reason I ask is because I use a bunch of storage appliances > > that offer Secure-NFS (NETAPP, EMC UNITY, etc.), but they only > > support NIS, IDMU, RFC2307, and RFC2307bis style Identity Mapping, > > all of which require manual assignment of UID/GID numbers to > > objects in LDAP, which is untenable for large environments. > > Microsoft even removed Unix Attribute editor from their LDAP GUI > > for the RFC2307 attributes in Windows Server 2016 to push people > > away from using rfc2307. > > [We're] working on a utility that will read an LDIF dump, and at the > cost of a single getgrnam('domain users') call (to determine sssd's > offset), will output either a passwd(5) or group(5) file in the same > format that sssd would generate, at O(1) cost. Then we will serve > up these synthesized passwd/group files for our storage appliance's > consumption. It's Rube-Goldberg-esque, but it's the best we can do > until our storage appliance vendor finally implements uid/gid > auto-mapping from the objectSID.