On 9/25/18 8:40 AM, Jakub Hrozek wrote:
This is honestly something where I don’t know what is the right thing to do. If we detect that a group with some GID already exists, then how do we distinguish between “err, there are duplicates on the LDAP side” and “look, the group was renamed” without any peristent identifier like a SID?
I fully agree this is a can of worms.
Of course, if more people complain about group renames with a “plain LDAP” server,
Some LDAP servers, e.g. OpenLDAP and IIRC OpenDJ, also implement 'entryUUID' [RFC 4530].
But still so many things can go wrong: - entryUUID not visible for sssd - Other client components using the same groups not prepared for all that ...
Ciao, Michael.