[SSSD-users] synthesizing SID-mapped passwd/group entries from LDIF data

Thu, 23 Jan 2020 10:31:27 -0800 

As a follow-up to the discussion below, I have written a utility that
synthesizes passwd(5) or group(5) entries from LDIF data, mimicking
the entries that sssd produces when sssd is configured to auto-map
uid/gid values from the Windows objectSid.  It’s available here:

    https://github.com/qralston/genent

It works for us in our environment; hopefully others will find it
useful as well.

This is the initial release, so it may be buggy.  Feedback, pull
requests, issues, et. al. are all welcome; please consult the TODO.md
file.

On Fri, Oct 25, 2019 at 8:11 PM James Ralston <rals...@pobox.com> wrote:

> On Wed, Oct 16, 2019 at 6:17 PM Jeff Thornsen <jthorn...@gmail.com> wrote:
>
> > The reason I ask is because I use a bunch of storage appliances
> > that offer Secure-NFS (NETAPP, EMC UNITY, etc.), but they only
> > support NIS, IDMU, RFC2307, and RFC2307bis style Identity Mapping,
> > all of which require manual assignment of UID/GID numbers to
> > objects in LDAP, which is untenable for large environments.
> > Microsoft even removed Unix Attribute editor from their LDAP GUI
> > for the RFC2307 attributes in Windows Server 2016 to push people
> > away from using rfc2307.
>
> [We're] working on a utility that will read an LDIF dump, and at the
> cost of a single getgrnam('domain users') call (to determine sssd's
> offset), will output either a passwd(5) or group(5) file in the same
> format that sssd would generate, at O(1) cost.  Then we will serve
> up these synthesized passwd/group files for our storage appliance's
> consumption.  It's Rube-Goldberg-esque, but it's the best we can do
> until our storage appliance vendor finally implements uid/gid
> auto-mapping from the objectSID.
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

Reply via email to