Trust_resolve_command#

__NOTOC__

Overview#

Related tickets #3302

We expose an interface to resolve Security Identifiers (SIDs) from a foreign trusted domain. The command is used by Web UI to resove the SIDs added as external group members.

Use Cases#

  • Trust administrator adds external group and adds several external members to it from a trusted domain. These members are stored internally as SIDs and should be shown as proper names of groups and users in Web UI.

Design#

Add trust-resolve command to implement a query interface. Query is resolved via SSSD. SSSD encapsulates actual resolution mechanism under libsss_nss_idmap API. Details on SSSD design are available at https://fedorahosted.org/sssd/wiki/DesignDocs/NSSResponderIDMappingCalls

Feature Management#

UI

Since SID resolution may potentially take time at server side, SID resolution should be done as asynchronous task. This is implemented via special SID facet in Web UI – that is, content of any field with facet type ‘sid’ will be used to query ‘trust-resolve’ command and it in case of successful resolution will be replaced by the returned value.

CLI

trust-resolve#

trust-resolve displays SIDs and names they resolved to.

Required command options:

  • --sids: comma-separated list of SIDs to resolve.

Major configuration options and enablement#

The command will be only functional when the trusts are configured.

Replication#

N/A

Updates and Upgrades#

N/A

Dependencies#

SSSD 1.10 is required. In particular, Python bindings to libsss_nss_idmap are used, packaged as libsss_nss_idmap-python in Fedora 19.

External Impact#

N/A

Design page authors#

Alexander Bokovoy