On Fri, Jan 29, 2016 at 04:47:04PM +0100, Bolke de Bruin wrote:
Hi,
In my setup (hello Hadoop!) I have the requirement to simplify user names from a trusted domain (Ad -> FreeIPA -> sssd) so they don’t contain “@“. Furthermore, “id username” needs to return information.
Thus bolke@ad.local mailto:bolke@ad.local needs to become bolke (or bolke_ad_local). And “id -Gn bolke” needs to return my group memberships.
If it is only about the '@' sign I would recommend to use the sssd options full_name_format and re_expression.
full_name_format defines how the name return e.g by getent passwd or if looks like. E.g with
full_name_format = %1$s_%2$s
the name is returned as 'bolke_ad.local' or with
full_name_format = %1$s_%3$s
the name is returned as 'bolke_ad' if 'ad' is the NetBIOS domain name of your AD domain. Please note that you have to remove the SSSD cache with rm after a change of full_name_format.
re_expression tells SSSD how to parse the input and with
re_expression = (((?P<Name>[^@]+)_(?P<Domain>.+$))|((?P<Domain>[^\]+)\(?P<Name>.+$))|((?P<Name>[^@]+)@(?P<Domain>.+$))|(^(?P<Name>[^@\]+)$))
SSSD should be able to understand 'bolke_ad.local' or 'bolke_ad' as input as well.
You can find more details about the options in the sssd.conf man page.
HTH
bye, Sumit
I tried setting
auth_to_local = { RULE:[1:$1@$0](^.*@AD.LOCAL$)s/@AD.LOCAL// DEFAULT }
in /etc/krb5.conf, but that does not seem to work. How do I go about this?
Thanks! Bolke
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org