You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, much of the SSSD LDB cache is keyed on the name of the user, group, etc.
However, names are potentially changeable, whereas in realistic environments the ID never will be.
The benefit to switching would be to simplify the renaming code that we have throughout the SSSD as well as potentially simplifying the AD provider's SID->POSIX ID mapping (for those environments using assigned POSIX IDs instead of the automatic ID-mapping)
Obviously, upgrading to this new organization would need to be carefully thought-out.
FWIW I do not think we really need to change the database layout (modify the RDN).
We care about anchoring an object to a uuid really only when modifications are made to the database (relatively rare).
What matters is how we match a local database user to its counterpart in the remote server, that can be done by a different attribute in the object, doesn't have to be cached object RDN.
After an IRC discussion with Simo and Stephen we decided not to fix this ticket.We would rather store a RID (and filter by subdomain to avoid matching a user with the same RID coming from two domains).
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/1567
Currently, much of the SSSD LDB cache is keyed on the name of the user, group, etc.
However, names are potentially changeable, whereas in realistic environments the ID never will be.
The benefit to switching would be to simplify the renaming code that we have throughout the SSSD as well as potentially simplifying the AD provider's SID->POSIX ID mapping (for those environments using assigned POSIX IDs instead of the automatic ID-mapping)
Obviously, upgrading to this new organization would need to be carefully thought-out.
Comments
Comment from simo at 2012-10-05 20:07:25
FWIW I do not think we really need to change the database layout (modify the RDN).
We care about anchoring an object to a uuid really only when modifications are made to the database (relatively rare).
What matters is how we match a local database user to its counterpart in the remote server, that can be done by a different attribute in the object, doesn't have to be cached object RDN.
Comment from jhrozek at 2012-10-25 12:48:06
After an IRC discussion with Simo and Stephen we decided not to fix this ticket.We would rather store a RID (and filter by subdomain to avoid matching a user with the same RID coming from two domains).
design: =>
design_review: => 0
fedora_test_page: =>
resolution: => wontfix
status: new => closed
Comment from sgallagh at 2017-02-24 14:54:32
Metadata Update from @sgallagh:
The text was updated successfully, but these errors were encountered: