[sparks-discuss] Active Directory name service module (nss_ad) [PSARC/2008/441 FastTrack timeout 07/18/2008]
Nicolas Williams
Nicolas.Williams at sun.com
Sun Jul 13 18:04:20 PDT 2008
On Sun, Jul 13, 2008 at 07:42:14PM -0500, Mike Gerdts wrote:
> On Sun, Jul 13, 2008 at 6:19 PM, Nicolas Williams
> <Nicolas.Williams at sun.com> wrote:
> > It is still not wise to name users/groups in AD which might cause
> > problems for Solaris or various applications, such as all numeric
> > user/group names, names that start with '-', names that contain ':',
> > names that contain non-printing or non-ASCII characters, ...
> >
> > It might be useful to have the name service switch filter or escape such
> > names. And it may be nice to setup a convention that the name service
> > switch and the backends use UTF-8, or enhance the relevant interfaces to
> > specify codesets, and then ensure that getXbyY() callers get names that
> > have been converted to their current locales' codesets. But such
> > changes to the name service switch and friends are not this case.
>
> Additionally - not part of this case - it would be nice to have a
> generic username mapping mechanism. An organization that is looking
> to use AD as their naming service is somewhat likely to have chosen
> Windows/AD usernames that do not comply with the UNIX view of the
> world.
AD already has this in various forms, but we're leaving that out of
scope here for several reasons: a) simplicity: we need a way to use AD
as is, w/o SFU, and what not, b) nss_ldap already supports this through
schema mapping, though only against a single AD domain, and we need to
support entire forests and cross-forest trusts, c) expediency.
Addressing (b) will be a large project, thus the expediency rationale.
But even if we could not assert expediency I believe that simplicity
still requires that we pursue this approach.
We're really straying now from the case, so please drop PSARC-ext from
the cc list and change the subject (or start a new thread) to discuss
(b).
If and when (b) is addressed then it should be possible to configure the
system to prefer AD-provided Unix names over sAMAccountName values, or
even to do so on a per-domain basis. But I really don't want to get
into that on psarc-ext. If you wish we can discuss (b) in detail on
sparks-discuss.
Nico
--
More information about the opensolaris-arc
mailing list