On 9/25/18 8:40 AM, Jakub Hrozek wrote:
This is honestly something where I don’t know what is the right
thing
to do. If we detect that a group with some GID already exists, then
how do we distinguish between “err, there are duplicates on the LDAP
side” and “look, the group was renamed” without any peristent
identifier like a SID?
I fully agree this is a can of worms.
Of course, if more people complain about group renames with a “plain
LDAP” server,
Some LDAP servers, e.g. OpenLDAP and IIRC OpenDJ, also implement
'entryUUID' [RFC 4530].
But still so many things can go wrong:
- entryUUID not visible for sssd
- Other client components using the same groups not prepared for all that
...
Ciao, Michael.