On Thu, Apr 28, 2016 at 06:31:20PM +0000, Sullivan, Daniel [AAA] wrote: > Jakub, > > Thank you for your reply. I did not know that the compat tree was > populated from sssd; Do you have any experience and or recommendation on > using the full_name_format variable of sssd.conf to manipulate how cn’s are > populated in anchor records? Basically I’m interested in trying to get > IPA to provision anchor records for a trusted domain without the @f.d.q.n > appended to usernames. It seems like having a custom full_name_format > (sssd.conf) possibly in conjunction with default_domain_suffix (sssd.conf) > might achieve this (have already done some internal testing with partial > results, running into some issues but interested in yours and the groups > opinion on the viability of this).
It's not possible at the moment to change the output format of the sssd on the server or the format of the entries in the compat tree. Several pieces of the stack (including the extdom plugin that serves requests to the sssd clients) rely on the name being qualified at least on the server side to function properly. What should be possible starting with 7.3 is to have the shortnames in the output of SSSD clients with id_provider=ipa. But I'm not sure legacy clients would work either with shortnames because with the legacy clients, we typically treat the whole qualified string as a "name": ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [sssd] services = nss, pam config_file_version = 2 domains = default re_expression = (?P<name>.+) <------- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ the re_expression tells sssd that the whole input string, qualified or not is a "name", there is no separate IPA and AD domain in these setups. This is because with the legacy clients, those clients must use the "ldap" id_provider pointed to the compat tree and the 'ldap' provider, unlike the 'ipa' or 'ad' providers has no notion of trusted domains internally. So if you want to use shortnames on the output, I think the best bet is to wait for sssd-1.14 (coming in RHEL-7.3) with the ipa provider. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
