Bug 740081 - Allow sync of "pseudo-user" accounts
Summary: Allow sync of "pseudo-user" accounts
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: 389
Classification: Retired
Component: Sync Service
Version: 1.2.9
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Rich Megginson
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks: 389_1.3.0 690319
TreeView+ depends on / blocked
 
Reported: 2011-09-20 20:58 UTC by Rich Megginson
Modified: 2015-11-19 19:27 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-11-19 19:27:54 UTC
Embargoed:


Attachments (Terms of Use)

Description Rich Megginson 2011-09-20 20:58:21 UTC
Description of problem:
There are "pseudo-user" accounts in AD that have mostly "user" objectclass schema but are missing required attributes in DS, such as the "sn" attribute.  There may be some cases where we want to allow the user to sync these entries:

"I think it might be clearer if we synchronized all accounts that do not use built-in SIDs (reserved) and are in the correct cn / ou since there is no such things as a 'psuedo user' in AD.  There may be cases where it is desirable for application users to sync, for example a user used for monitoring could log in from an application server to Linux / Windows with the same account.  This user might not have all the attributes that a real person would have."

We could fill in the missing values in several ways:
1) hard coded value ("Missing Surname")
2) set value to use in winsync agreement entry
winsyncMissing: sn Missing Surname
or
winsyncMissing: sn $displayName
or
winsyncMissing: sn (objectclass=ipaWinsyncConfig) sn
the last is similar to what the ipa-winsync plugin does for missing posix attributes.

The list of well-known SIDs/RIDs is found here - http://git.samba.org/?p=samba.git;a=blob;f=librpc/idl/security.idl;h=2b6efc5318480606f19f6fe25976fe9514114fbc;hb=master

Comment 1 Simo Sorce 2011-09-20 21:05:43 UTC
Any RID below 1000 belongs to wellknown SIDs

But I am not sure you can use that to weed out users/groups.

Here you can find a list of SIDs/RIDS that are wellknown:
http://git.samba.org/?p=samba.git;a=blob;f=librpc/idl/security.idl;h=2b6efc5318480606f19f6fe25976fe9514114fbc;hb=master

start at line 200ish

Comment 2 Rich Megginson 2011-10-17 21:14:08 UTC
Simo, is this a 6.3 feature?  If not, then when?

Comment 3 Simo Sorce 2011-10-17 21:41:47 UTC
I don't know, we do not use winsync for our ad trust plans which are the driver for 3.0

Comment 4 Rich Megginson 2011-10-17 21:47:05 UTC
(In reply to comment #3)
> I don't know, we do not use winsync for our ad trust plans which are the driver
> for 3.0

So can we mark this as CLOSED WONTFIX?

Comment 5 Rich Megginson 2011-10-19 19:41:01 UTC
Would still be a good enhancement until we can completely scrap winsync.

Comment 8 Martin Kosek 2012-01-04 13:21:27 UTC
Upstream ticket:
https://fedorahosted.org/389/ticket/30

Comment 10 Noriko Hosoi 2015-11-19 19:27:54 UTC
Closing this bug since we moved to the ticket system:
https://fedorahosted.org/389/ticket/30


Note You need to log in before you can comment on or make changes to this bug.