On Fri, Nov 20, 2015 at 03:41:12PM +0000, Matthew Nicholson wrote:
So, I've got an....interesting problem...
At a new gig, who has been using a product Centrify to do unix auth for
systems for a while now (years and years). Now tha thte team is more built
up, we want to move away from this as a number of us have done sssd +
ldap+kerberos with AD a few times.
However, centrify has done some odd things with user and group objects. The
biggest issue of which is that 1). they are not normal
person/user/group/posixgroup objects...2). they keep the most important
attributes (uid, homedir, shell, etc). all stuffed info ONE attribute,
"keywords".
So, a ldap query of a user object ends up being this:
<snip>
objectClass: top
objectClass: leaf
objectClass: connectionPoint
objectClass: serviceConnectionPoint
cn: mn174
<snip>
name: mn174
objectGUID:: Kq81FaqN50eFDZK9+57CZQ==
keywords: shell:/bin/zsh
keywords: gecos:Matthew Nicholson
keywords: altGuid:
keywords: uid:133859
keywords: unix_enabled:TRUE
keywords: parentLink:S-1-5-21-1935655697-484061587-839522115-314656
keywords: home:/home/mn174
keywords: gid:2133859
</snip>
So, right now while i COULD get sssd to find the object, I can't get it to
pull out the important attributes like uid etc.
Is there any way to tell sssd to do attribute sub-queries? basically "the
uid is in keyword attribute, sub attribute uid" ?
Since the uid is not directly addressable by LDAP queries I can think of
no way to make it work with SSSD. Additionally even if it would work you
would be required to continue running Centrify to get those values
created for new users.
I would suggest is to use the override feature of SSSD that is available
as local overrides and as centrally manager overrides with IPA. With
this you can switch off Centrify after the overrides are created. New
users and groups are then handled by SSSD directly and get their POSIX
attributes depending on the SSSD configuration.
bye,
Sumit
I'm less that pleased this product did such things. Thank full it does have
a NIS server so worst case I'm going to dump all the users/groups and
import into AD proper (which DOES have the same account/group info, just
not with all the attributes @ the moment) .
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org