POSIX Winsync SID Enhancements

POSIX Winsync SID Enhancements

Overview

The current Winsync functionality in 389 allows basic user and group entries to be synchronized from AD, and can optionally synchronize POSIX related attributes. This functionality can be enhanced to allow more control of what users/groups are synchronized as well as converting non-POSIX users from AD into POSIX users in 389 automatically. This flexibility can come in handy for various migration use-cases.

Use Cases

The following use-cases should be covered by the new enhancements:

Only synchronize users/groups that have POSIX attributes defined in AD.
Convert non-POSIX users/groups from AD into POSIX users/groups in 389 using SID to UID/GID mapping.
Ignore POSIX attributes from AD and generate POSIX attributes in 389 using SID to UID/GID mapping.

We can show how these use cases in matrix form. These are broken down into two separate scenarios:

Scenario 1: Sync all users

                   Sync  UID/GID from AD            SID->UID/GID
POSIX users                 +                               +
Non-POSIX users            N/A                              +

Scenario 2: Sync only POSIX users

                   Sync  UID/GID from AD            SID->UID/GID
POSIX users                 +                               +

In scenario 1, there is some flexibility in how you can treat AD entries that already have POSIX attributes. This flexibility is needed to support different migration strategies:

Existing POSIX attributes that were entered into AD are still in use, so they need to be preserved. Newly created accounts will now have their POSIX attributes generated by 389 DS.
Existing POSIX attributes in AD are to be abandoned, and all handling of POSIX attributes is being moved over to 389 DS. New POSIX attributes will be generated for all users.

Scenario 2 is much more straight-forward. All POSIX attributes in AD will either be abandoned or preserved for the whole sync agreement. This behavior can not be switched on a per-user basis.

Design

The new functionality should be implemented in the 389 POSIX Winsync plug-in, as the enhancements all revolve around POSIX users/groups. The high-level behavior will be controlled by two new configuration settings:

Add a switch to ignore non-POSIX users/groups.
- Valid settings are on and off. The default setting should of off.
- When this switch is set to on, we would completely ignore users/groups from AD that do not have POSIX attributes set.
- When this switch is set to off, non-POSIX users/groups would be synchronized from AD.
Add a switch to generate POSIX attributes.
- Valid settings are on, off, and override.
- When this switch is set to on, we would generate POSIX attributes when synchronizing non-POSIX users/groups from AD. POSIX users in AD would be synchronized to 389 with their POSIX values intact. Any missing optional POSIX attributes will have values generated.
- When this switch is set to off, we would not generate any POSIX attributes. POSIX and non-POSIX synchronization from AD would work depending on the other configuration settings.
- When this switch is set to override, we would override all POSIX attributes defined in AD with our own generated attribute values. If non-POSIX user/group synchronization is enabled, we would generate POSIX attributes when synchronizing non-POSIX users/groups from AD.

Attribute Value Generation

Attribute value generation will be supported for the following attributes:

uidNumber
gidNumber
homeDirectory
loginShell
gecos

Details on how we generate these values are as follows:

SID Mapped Values

The generation of uidNumber and gidNumber values will be performed by ID mapping from the SID. There is already logic for this in SSSD, which is implemented in the libsss_idmap library. We should reuse this library instead of implementing the logic ourselves. There are some details on the algorithm available at http://jhrozek.fedorapeople.org/sssd/1.9.4/man/sssd-ad.5.html

Other Values

Generation of the homeDirectory, loginShell, and gecos values is already supported in the FreeIPA Winsync plug-in. We should use the same logic in our own value generation code for these attributes. Here is an overview of the way FreeIPA generates these attribute values:

homeDirectory
- This requires a configurable prefix setting that is used to define the location where home directories are kept. We can likely make this default to /home.
- If a uid value is present, use */*.
- If a uid value is not present and we have a samAccountName, use */*.
- If both uid and samAccountName are not present, it is a fatal error and we can’t sync the user since this is a required attribute. This should never happen.
loginShell
- Add a configurable loginShell default value setting.
- If the default setting is defined, use the value as is for the generated loginShell attribute in user entries.
- If the default setting is not defined, do not generate a loginShell value for user entries. This will work fine since loginShell is not a required attribute.
gecos
- If a cn value is present, use it for the value of gecos.
- If a cn value is not present and we have a displayName, use the value of the displayName attribute for the value of gecos.
- If both cn and displayName are not present, do not generate a gecos value. This will work fine since gecos is not a required attribute.

Implementation

TBD

Major configuration options and enablement

All of the configuration for these enhancements will be set in the main POSIX Winsync plug-in entry (dn: cn=Posix Winsync API,cn=plugins,cn=config). The high-level control for these enhancements will be handled by the two new settings described in the Design section above.

ignoreNonPOSIXEntries - disable sync of non-POSIX users/groups (on or off)
generatePOSIXAttributes - enable generation of POSIX attributes (on, off, or override)

The value generation logic will also require a number of configuration settings. New settings that will be needed are:

homeDirectoryPrefix - home directory prefix for user entries
loginShellDefault - default login shell value for user entries

The SID ID mapping in SSSD allows configuration to control how the mapping is performed. These settings are defined in the SSSD manual that is linked to in the SID Mapped Values section above. We will probably need to add configuration settings that mimic the settings that SSSD uses. Specifically, we will likely need settings for the following:

ldap_idmap_range_min
ldap_idmap_range_max
ldap_idmap_range_size
ldap_idmap_default_domain_sid
ldap_idmap_default_domain
ldap_idmap_autorid_compat

Replication

The enhancements are focused on synchronization in the AD->389 direction only. We need to determine how things should behave when bi-directional synchronization is enabled. There are a few outstanding questions I can think of:

If we are converting a non-POSIX user from AD into a POSIX user in 389, should the generated POSIX attributes be sent back to AD?
- In this case, it seems like we should not be turning non-POSIX users in AD into POSIX users.
If we are overriding POSIX attributes from AD with our own generated attributes, should we avoid further synchronization of POSIX attributes between AD and 389 after the initial sync?
- In this case, it seems like we would never want to synchronize the POSIX attributes in either direction, otherwise we run the risk of overwriting data on one side.

For both of these scenarios, we should probably allow the behavior to be configurable with regards to synchronizing POSIX attributes from 389->AD. There might be situations where this is desirable, though our default behavior should be to avoid overwriting POSIX attributes in AD.

The enhancements should not have any impact on the core Replication functionality (non Winsync).

Updates and Upgrades

The new behavior will be turned off by default, so upgrades should not change the behavior. The new functionality can be manually enabled post-upgrade.

Dependencies

The SID ID mapping functionality is implemented in SSSD. We should make every effort to use their existing library, which will require us to add a dependency on SSSD. Most of what we need is already exposed by libsss_idmap.so, but there are some pieces that still need to be exposed. This has been filed as a ticket for the SSSD team at https://pagure.io/sssd/issue/1844.

External Impact

The FreeIPA Winsync plug-in should handle the changes outlined above with no modifications. The reason this should work is that the FreeIPA Winsync plug-in currently checks if the POSIX attributes are already defined in the entry it receives from the 389 Winsync plug-in. If the attributes are already defined, FreeIPA leaves them intact instead of generating new values. The FreeIPA Winsync plug-in will be unable to differentiate between a value that truly came from AD and those that are generated by the 389 POSIX Winsync plug-in, so the generated values will be left intact.

Last modified on 2 April 2024