3 files changed, 40 insertions, 0 deletions

diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h
index 8b8ea25c6..646c54ecb 100644
--- a/src/providers/ldap/ldap_opts.h
+++ b/src/providers/ldap/ldap_opts.h
@@ -100,6 +100,8 @@ struct dp_option default_basic_opts[] = {
     { "ldap_idmap_range_max", DP_OPT_NUMBER, { .number = 2000100000LL }, NULL_NUMBER },
     { "ldap_idmap_range_size", DP_OPT_NUMBER, { .number = 200000 }, NULL_NUMBER },
     { "ldap_idmap_autorid_compat", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+    { "ldap_idmap_default_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "ldap_idmap_default_domain_sid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     DP_OPTION_TERMINATOR
 };
 
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 7c55ad5a0..2de4a5cb9 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -215,6 +215,8 @@ enum sdap_basic_opt {
     SDAP_IDMAP_UPPER,
     SDAP_IDMAP_RANGESIZE,
     SDAP_IDMAP_AUTORID_COMPAT,
+    SDAP_IDMAP_DEFAULT_DOMAIN,
+    SDAP_IDMAP_DEFAULT_DOMAIN_SID,
 
     SDAP_OPTS_BASIC /* opts counter */
 };
diff --git a/src/providers/ldap/sdap_idmap.c b/src/providers/ldap/sdap_idmap.c
index 24e7ef371..02e3d0eac 100644
--- a/src/providers/ldap/sdap_idmap.c
+++ b/src/providers/ldap/sdap_idmap.c
@@ -129,6 +129,42 @@ sdap_idmap_init(TALLOC_CTX *mem_ctx,
                 goto done;
             }
         }
+    } else {
+        /* This is the first time we're setting up id-mapping
+         * Store the default domain as slice 0
+         */
+        dom_name = dp_opt_get_string(idmap_ctx->id_ctx->opts->basic, SDAP_IDMAP_DEFAULT_DOMAIN);
+        if (!dom_name) {
+            /* If it's not explicitly specified, use the SSSD domain name */
+            dom_name = idmap_ctx->id_ctx->be->domain->name;
+            ret = dp_opt_set_string(idmap_ctx->id_ctx->opts->basic,
+                                    SDAP_IDMAP_DEFAULT_DOMAIN,
+                                    dom_name);
+            if (ret != EOK) goto done;
+        }
+
+        sid_str = dp_opt_get_string(idmap_ctx->id_ctx->opts->basic, SDAP_IDMAP_DEFAULT_DOMAIN_SID);
+        if (sid_str) {
+            /* Set the default domain as slice 0 */
+            ret = sdap_idmap_add_domain(idmap_ctx, dom_name,
+                                        sid_str, 0);
+            if (ret != EOK) {
+                DEBUG(SSSDBG_CRIT_FAILURE,
+                      ("Could not add domain [%s][%s][%u] to ID map: [%s]\n",
+                       dom_name, sid_str, 0, strerror(ret)));
+                goto done;
+            }
+        } else {
+            if (dp_opt_get_bool(idmap_ctx->id_ctx->opts->basic, SDAP_IDMAP_AUTORID_COMPAT)) {
+                /* In autorid compatibility mode, we MUST have a slice 0 */
+                DEBUG(SSSDBG_FATAL_FAILURE,
+                      ("Autorid compatibility mode selected, but %s is not set\n",
+                       idmap_ctx->id_ctx->opts->basic[SDAP_IDMAP_DEFAULT_DOMAIN_SID].opt_name));
+                ret = EINVAL;
+                goto done;
+            }
+            /* Otherwise, we'll just fall back to hash values as they are seen */
+        }
     }
 
     *_idmap_ctx = talloc_steal(mem_ctx, idmap_ctx);