[Freeipa-devel] [RFC] Extdom plugin enhancement: grouplist
Jakub Hrozek
jhrozek at redhat.com
Tue Jun 17 12:50:16 UTC 2014
On Fri, Jun 06, 2014 at 07:24:14PM +0200, Sumit Bose wrote:
> Hi,
>
> I've created a design page about enhancing the extdom plugin to send the
> list of groups of a user together with the POSIX data to IPA clients
> with SSSD at
>
> http://www.freeipa.org/page/V4/Extdom_plugin_enhancement_grouplist
>
> For your convenience the text can be found below as well.
>
> Comments and suggestions are welcome.
>
> bye,
> Sumit
I'm in favor of detecting the OID as well. If we can't detect the
presence of the OID (maybe because the admin messed up with permissions
to read the rootDSE), too bad, but you'd still get the full group
memberships on login through the PAC responder. The LDAP error codes
seem fragile and moreover we will run into the same issue later when/if
we decide to extend the plugin further.
As said earlier in a different thread, I don't think you need to worry
about the FQDN format. I haven't tested that myself today, but I think
we even disallow other formats in the server mode, because the slapi-nis
plugin for legacy clients looks for "@" unconditionally. We should only
warn and fail if the admin configured a custom FQDN in sssd.conf, I
think.
More information about the Freeipa-devel
mailing list