2229824 – [RFE] Allow SSSD to generate subids for LDAP and AD-based users

Bug 2229824 - [RFE] Allow SSSD to generate subids for LDAP and AD-based users [NEEDINFO]

Summary: [RFE] Allow SSSD to generate subids for LDAP and AD-based users

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	9.2
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Alexey Tikhonov
QA Contact:	sssd-qe
Docs Contact:
URL:
Whiteboard:	sync-to-jira
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-08-07 20:45 UTC by Chance Callahan
Modified:	2023-08-17 13:15 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Story
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	ipedrosa: needinfo? (aboscatt)

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-164772	0	None	None	None	2023-08-07 20:49:04 UTC
Red Hat Issue Tracker	SSSD-6586	0	None	None	None	2023-08-10 13:41:55 UTC

Description Chance Callahan 2023-08-07 20:45:06 UTC

1. Proposed title of this feature request

Allow SSSD to generate subids for LDAP and AD-based users.

3. What is the nature and description of the request?

The customer wishes to use rootless Podman with AD users coming in over LDAP. Currently SSSD only supports this with IPA-based users.

4. Why does the customer need this? (List the business requirements here)

The customer needs subid support for use with rootless Podman.

5. How would the customer like to achieve this? (List the functional requirements here)

The same method currently used for IPA-based users by editing the nsswitch.conf and assigning subid management to SSSD.

6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.

Red Hat can test to confirm with internal tooling.

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?

Not that I can find.

8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL8, RHEL9)?

No.

9. Is the sales team involved in this request and do they have any additional input?

No.

10. List any affected packages or components.

* sssd
* podman

11. Would the customer be able to assist in testing this functionality if implemented?

Yes.

Comment 4 Alexey Tikhonov 2023-08-08 11:33:26 UTC

(In reply to Chance Callahan from comment #0)
> 1. Proposed title of this feature request
> 
> Allow SSSD to generate subids for LDAP and AD-based users.
...
> 5. How would the customer like to achieve this? (List the functional
> requirements here)
> 
> The same method currently used for IPA-based users by editing the
> nsswitch.conf and assigning subid management to SSSD.

SSSD does *NOT* generate subid ranges for IPA-based users.

SSSD merely fetches those ranges from IPA server, kind of extended NSS user attribute.

FreeIPA implements an LDAP scheme and means to generate/assign ranges to IPA users: see https://github.com/freeipa/freeipa/blob/master/doc/designs/subordinate-ids.md for details.

It would be possible to implement the same range fetching in 'sssd-ad' (as it's done in 'sssd-ipa').

But the main blocker here is range generation/assignment on AD server, this is totally out of SSSD hands. As far as I know, no standardized solution exists.

Note You need to log in before you can comment on or make changes to this bug.