Concerning "ldap_idmap_default_domain_sid", "[domain/default]", and "ldap_idmap_default_domain"
I beleive I understand the use of the the "ldap_idmap_default_domain_sid" directive. Most simply the MURMUR algorithm will be disabled and the domain configuration designated as the "default" domain will be assigned to slice [0]. My observation is that the UID-GID for an object becomes (ldap_idmap_range_min + <object_RID>) in this configuration.
The man pages are less clear on why and how specifying which domain is the default in a multi-domain configuration matters. My assumption is that the sole purpose of the "[domain/default]" and "ldap_idmap_default_domain" options is to do just that.
"[domain/default]"
- Is the entended use for this domain stanza header? - Is is still a valid configuration choice?
"ldap_idmap_default_domain"
- Is the entended use for this configuration directive? - If it is specified in one domain stanza in a multi-domain configuration will the configuration be honored across other configured domains?
Many thanks as always,
-- lawrence
On Tue, Sep 04, 2018 at 06:49:15AM -0400, Lawrence Kearney wrote:
I beleive I understand the use of the the "ldap_idmap_default_domain_sid" directive. Most simply the MURMUR algorithm will be disabled and the domain configuration designated as the "default" domain will be assigned to slice [0]. My observation is that the UID-GID for an object becomes (ldap_idmap_range_min + <object_RID>) in this configuration.
The man pages are less clear on why and how specifying which domain is the default in a multi-domain configuration matters. My assumption is that the sole purpose of the "[domain/default]" and "ldap_idmap_default_domain" options is to do just that.
"[domain/default]"
- Is the entended use for this domain stanza header?
- Is is still a valid configuration choice?
It is a valid configuration but there is no special handling. 'default' is just treated as a name for the domain the same as 'abc' or any other name.
"ldap_idmap_default_domain"
- Is the entended use for this configuration directive?
- If it is specified in one domain stanza in a multi-domain configuration
will the configuration be honored across other configured domains?
Each configured domain in sssd.conf like e.g [domain/abc] and [domain/def] is independent of the other, so ldap_idmap_default_domain is only for the individual section.
The phrase 'default domain' in the man page entries refers to the current configured domain in contrast to the discovered sub-domains.
The 'ldap_idmap_default_domain' must only be set if the domain name you choose in sssd.conf differs from the actual domain name. E.g.
... [domain/home] ... ldap_idmap_default_domain = my.ad.domain ...
HTH
bye, Sumit
Many thanks as always,
-- lawrence
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
... that helps, thanking you!
-- lawrence
On Wed, Sep 5, 2018 at 12:18 PM Sumit Bose sbose@redhat.com wrote:
On Tue, Sep 04, 2018 at 06:49:15AM -0400, Lawrence Kearney wrote:
I beleive I understand the use of the the "ldap_idmap_default_domain_sid" directive. Most simply the MURMUR algorithm will be disabled and the
domain
configuration designated as the "default" domain will be assigned to
slice
[0]. My observation is that the UID-GID for an object becomes (ldap_idmap_range_min + <object_RID>) in this configuration.
The man pages are less clear on why and how specifying which domain is
the
default in a multi-domain configuration matters. My assumption is that
the
sole purpose of the "[domain/default]" and "ldap_idmap_default_domain" options is to do just that.
"[domain/default]"
- Is the entended use for this domain stanza header?
- Is is still a valid configuration choice?
It is a valid configuration but there is no special handling. 'default' is just treated as a name for the domain the same as 'abc' or any other name.
"ldap_idmap_default_domain"
- Is the entended use for this configuration directive?
- If it is specified in one domain stanza in a multi-domain configuration
will the configuration be honored across other configured domains?
Each configured domain in sssd.conf like e.g [domain/abc] and [domain/def] is independent of the other, so ldap_idmap_default_domain is only for the individual section.
The phrase 'default domain' in the man page entries refers to the current configured domain in contrast to the discovered sub-domains.
The 'ldap_idmap_default_domain' must only be set if the domain name you choose in sssd.conf differs from the actual domain name. E.g.
... [domain/home] ... ldap_idmap_default_domain = my.ad.domain ...
HTH
bye, Sumit
Many thanks as always,
-- lawrence
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org
-
Lawrence Kearney -
Sumit Bose