[Freeipa-users] SSS problems with eDirectory

[Stephen Gallagher]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/23/2010 06:15 PM, Simo Sorce wrote:
> On Fri, 23 Jul 2010 17:17:11 -0400
> Scott Duckworth <sduckwo at clemson.edu> wrote:
> 
>> I've learned that this attribute does exist in our tree, but it's not
>> being populated when we add users to groups since our proxy user does
>> not have rights to write groupMembership to users.  I'm trying to
>> find out if we can get our hands on native eDirectory tools that keep
>> groupMembership of posixAccount and member of posixGroup in sync.
>>
>> Still, if groupOf/groupMembership is not required by rfc2307bis, it
>> would be nice if SSSD did not require it.
> 
> Yes, we should handle this gracefully, at least through an option.
> 
>> If a user has a groupOf/groupMembership attribute pointing to a group
>> outside of ldap_group_search_base, will this be handled gracefully?
> 
> Yes, the entry will simply be ignored if not resolvable.
> 
> Simo.
> 


I was discussing this with Dmitri this morning. I propose that we should
probably do the following:

After retrieving the user entry, verify whether the entry contains at
least one memberOf attribute. If it does, continue processing as we do
now (since it will be more efficient). If not, then we should slip into
compatibility mode where we will search all groups for member=<userdn>

Does this seem sensible?

- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkxNjp8ACgkQeiVVYja6o6MkagCfRVK6+fEOs/3PUp2HiGeACu4g
iWYAoKkgwvH5wJooMh1MCuyUewrbu692
=vwp8
-----END PGP SIGNATURE-----