slapi-nis.git/doc/ipa, branch lazy_client SLAPI-NIS schema-compat: use libnss_sss.so.2 explicitly to resolve trusted domain users via NSS 2015-03-26T08:46:29+00:00 Alexander Bokovoy abokovoy@redhat.com 2014-11-12T11:23:17+00:00 3368b2c04c870ffa5bfb831980d28bfa50534e0b When Schema Compatibility plugin is configured to enumerate users and groups from Active Directory domains trusted by FreeIPA, use nss_sss module directly instead of following nsswitch.conf configuration. The issue with nsswitch.conf configuration is in the fact that for each request all modules in NSS chain are processed while only one of them is responsible for users from trusted Active Directory domains, namely, nss_sss. 
When Schema Compatibility plugin is configured to enumerate users and groups
from Active Directory domains trusted by FreeIPA, use nss_sss module directly
instead of following nsswitch.conf configuration.

The issue with nsswitch.conf configuration is in the fact that for each request
all modules in NSS chain are processed while only one of them is responsible
for users from trusted Active Directory domains, namely, nss_sss.
Add support for FreeIPA ID views 2014-10-10T08:58:23+00:00 Alexander Bokovoy abokovoy@redhat.com 2014-07-29T09:04:34+00:00 08b596b5040af4df34bc2d8dfab8283d5938c448 FreeIPA ID views allow to override POSIX attributes for certain users and groups. A support is added to allow using specific ID view when serving compatibility tree. Each user or group entry which has an override in the view is amended with the overridden values from the view before served out to the LDAP client. A view to use is specified as a part of base DN: cn=<view>,cn=views,cn=compat,$SUFFIX where cn=compat,$SUFFIX is the original compatibility tree base DN. Each entry, when served through the view, gets new DN rewritten to specify the view. Additionally, if override in the view changes uid (for users) or cn (for groups) attribute, the entry's RDN is changed accordingly. For groups memberUid attribute is modified as well in case there is an override in the view that changes uid value of that member. FreeIPA ID views support overrides for users of trusted Active Directory domains. In case of a trusted AD domain's user or group is returned via compatibility tree, view overrides are applied in two stages: 1. SSSD applies default view for AD users 2. slapi-nis applies explicitly specified (host-specific) view on top of the entry returned by SSSD Thus, slapi-nis does not need to apply default view for AD users and if there are no host-specific views in use, there is no need to specify a view in the base DN, making overhead of a default view for AD users lower. 
FreeIPA ID views allow to override POSIX attributes for certain
users and groups.

A support is added to allow using specific ID view when serving
compatibility tree. Each user or group entry which has an override
in the view is amended with the overridden values from the view
before served out to the LDAP client.

A view to use is specified as a part of base DN:

	cn=<view>,cn=views,cn=compat,$SUFFIX

where cn=compat,$SUFFIX is the original compatibility tree base DN.

Each entry, when served through the view, gets new DN rewritten to
specify the view. Additionally, if override in the view changes
uid (for users) or cn (for groups) attribute, the entry's RDN is changed
accordingly.

For groups memberUid attribute is modified as well in case there is an override
in the view that changes uid value of that member.

FreeIPA ID views support overrides for users of trusted Active Directory domains.
In case of a trusted AD domain's user or group is returned via compatibility tree,
view overrides are applied in two stages:
  1. SSSD applies default view for AD users
  2. slapi-nis applies explicitly specified (host-specific) view
     on top of the entry returned by SSSD

Thus, slapi-nis does not need to apply default view for AD users and if there are
no host-specific views in use, there is no need to specify a view in the base DN,
making overhead of a default view for AD users lower.
sch-ipa.txt: add documentation about trusted domains support for FreeIPA 2013-08-07T15:35:00+00:00 Alexander Bokovoy abokovoy@redhat.com 2013-07-31T12:39:55+00:00 9847b5892ae96d0269210d96dd6eccac9eec1007 






- move some documentation files around
2009-06-17T20:40:49+00:00

Nalin Dahyabhai
nalin.dahyabhai@pobox.com

2009-06-17T20:40:49+00:00

5245e4a23bb8fbd03d7f4c7fda9142accce244ca