diff options
authorJakub Hrozek <>2014-02-25 17:09:00 +0100
committerJakub Hrozek <>2014-02-26 18:35:59 +0100
commit0aa145fd26584d129fb5a6974f58c232b87bb692 (patch)
parent1e45bf20032b4d984e02487bb39cb61210063ea9 (diff)
MAN: Clarify that changing ID mapping options might require purging the cache Currently SSSD chokes when IDs of users change, we don't support ID changes yet. Because some users were confused about the failures, this patch adds additional clarification. Reviewed-by: Sumit Bose <> Reviewed-by: Stephen Gallagher <> (cherry picked from commit 3dfa09a826e5f63b4948462c2452937fc329834d)
1 files changed, 42 insertions, 0 deletions
diff --git a/src/man/include/ldap_id_mapping.xml b/src/man/include/ldap_id_mapping.xml
index 71ff248f1..7f5dbd30b 100644
--- a/src/man/include/ldap_id_mapping.xml
+++ b/src/man/include/ldap_id_mapping.xml
@@ -12,6 +12,48 @@
need to use manually-assigned values, ALL values must be
+ <para>
+ Please note that changing the ID mapping related configuration
+ options will cause user and group IDs to change. At the moment,
+ SSSD does not support changing IDs, so the SSSD database must
+ be removed. Because cached passwords are also stored in the
+ database, removing the database should only be performed while
+ the authentication servers are reachable, otherwise users might
+ get locked out. In order to cache the password, an authentication
+ must be performed. It is not sufficient to use
+ <citerefentry>
+ <refentrytitle>sss_cache</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>
+ to remove the database, rather the process
+ consists of:
+ <itemizedlist>
+ <listitem>
+ <para>
+ Making sure the remote servers are reachable
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Stopping the SSSD service
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Removing the database
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Starting the SSSD service
+ </para>
+ </listitem>
+ </itemizedlist>
+ Moreover, as the change of IDs might necessitate the adjustment
+ of other system properties such as file and directory ownership,
+ it's advisable to plan ahead and test the ID mapping configuration
+ thoroughly.
+ </para>
<refsect2 id='idmap_algorithm'>
<title>Mapping Algorithm</title>