diff options
author | Sumit Bose <sbose@redhat.com> | 2014-06-24 18:30:01 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-09-01 13:56:57 +0200 |
commit | 899d1bdc048cd74518170d7d9535d76d3f46d4af (patch) | |
tree | 289feefa466ed4d844afacdc94b9446aba480cad /contrib | |
parent | 7d2437adc312d3322d36043ff458fafdb4b7f2cf (diff) | |
download | sssd-899d1bdc048cd74518170d7d9535d76d3f46d4af.tar.gz sssd-899d1bdc048cd74518170d7d9535d76d3f46d4af.tar.xz sssd-899d1bdc048cd74518170d7d9535d76d3f46d4af.zip |
PAM, NSS: allow UPN login names
With this patch the NSS and PAM responders can handle user principal
names besides the fully qualified user names.
User principal names are build from a user name and a domain suffix
separated by an '@' sign. But the domain suffix does not necessarily has
to be the same as the configured domain name in sssd.conf of the
dynamically discovered DNS domain name of a domain. The typical use case
is an Active Directory forest with lots of different domains. To not
force the users to remember the name of the individual domain they
belong to the AD administrator can set a common domain suffix for all
users from all domains in the forest. This is typically the domain name
used for emails to make it even more easy to the users to remember it.
Since SSSD splits name and domain part at the '@' sign and the common
domain suffix might not be resolvable by DNS or the given user is not a
member of that domain (e.g. in the case where the forest root is used as
common domain suffix) SSSD might fail to look up the user.
With this patch the NSS and PAM responder will do an extra lookup for a
UPN if the domain part of the given name is not known or the user was
not found and the login name contained the '@' sign.
Resolves https://fedorahosted.org/sssd/ticket/1749
Diffstat (limited to 'contrib')
0 files changed, 0 insertions, 0 deletions