|
 |
2fc102 |
From 59995f35b7dd6ec552be1081b0120f2344e3ded3 Mon Sep 17 00:00:00 2001
|
|
|
2fc102 |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
2fc102 |
Date: Tue, 25 Feb 2014 17:09:00 +0100
|
|
|
2fc102 |
Subject: [PATCH 99/99] MAN: Clarify that changing ID mapping options might
|
|
|
2fc102 |
require purging the cache
|
|
|
2fc102 |
|
|
|
2fc102 |
https://fedorahosted.org/sssd/ticket/2252
|
|
|
2fc102 |
|
|
|
2fc102 |
Currently SSSD chokes when IDs of users change, we don't support ID
|
|
|
2fc102 |
changes yet. Because some users were confused about the failures, this
|
|
|
2fc102 |
patch adds additional clarification.
|
|
|
2fc102 |
|
|
|
2fc102 |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
2fc102 |
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
2fc102 |
(cherry picked from commit 3dfa09a826e5f63b4948462c2452937fc329834d)
|
|
|
2fc102 |
---
|
|
|
2fc102 |
src/man/include/ldap_id_mapping.xml | 42 +++++++++++++++++++++++++++++++++++++
|
|
|
2fc102 |
1 file changed, 42 insertions(+)
|
|
|
2fc102 |
|
|
|
2fc102 |
diff --git a/src/man/include/ldap_id_mapping.xml b/src/man/include/ldap_id_mapping.xml
|
|
|
2fc102 |
index 71ff248f1f24242b911f615fd6afeb0382dfa5a1..7f5dbd30be67745b26dbced341762705d6e09f14 100644
|
|
|
2fc102 |
--- a/src/man/include/ldap_id_mapping.xml
|
|
|
2fc102 |
+++ b/src/man/include/ldap_id_mapping.xml
|
|
|
2fc102 |
@@ -12,6 +12,48 @@
|
|
|
2fc102 |
need to use manually-assigned values, ALL values must be
|
|
|
2fc102 |
manually-assigned.
|
|
|
2fc102 |
</para>
|
|
|
2fc102 |
+ <para>
|
|
|
2fc102 |
+ Please note that changing the ID mapping related configuration
|
|
|
2fc102 |
+ options will cause user and group IDs to change. At the moment,
|
|
|
2fc102 |
+ SSSD does not support changing IDs, so the SSSD database must
|
|
|
2fc102 |
+ be removed. Because cached passwords are also stored in the
|
|
|
2fc102 |
+ database, removing the database should only be performed while
|
|
|
2fc102 |
+ the authentication servers are reachable, otherwise users might
|
|
|
2fc102 |
+ get locked out. In order to cache the password, an authentication
|
|
|
2fc102 |
+ must be performed. It is not sufficient to use
|
|
|
2fc102 |
+ <citerefentry>
|
|
|
2fc102 |
+ <refentrytitle>sss_cache</refentrytitle>
|
|
|
2fc102 |
+ <manvolnum>8</manvolnum>
|
|
|
2fc102 |
+ </citerefentry>
|
|
|
2fc102 |
+ to remove the database, rather the process
|
|
|
2fc102 |
+ consists of:
|
|
|
2fc102 |
+ <itemizedlist>
|
|
|
2fc102 |
+ <listitem>
|
|
|
2fc102 |
+ <para>
|
|
|
2fc102 |
+ Making sure the remote servers are reachable
|
|
|
2fc102 |
+ </para>
|
|
|
2fc102 |
+ </listitem>
|
|
|
2fc102 |
+ <listitem>
|
|
|
2fc102 |
+ <para>
|
|
|
2fc102 |
+ Stopping the SSSD service
|
|
|
2fc102 |
+ </para>
|
|
|
2fc102 |
+ </listitem>
|
|
|
2fc102 |
+ <listitem>
|
|
|
2fc102 |
+ <para>
|
|
|
2fc102 |
+ Removing the database
|
|
|
2fc102 |
+ </para>
|
|
|
2fc102 |
+ </listitem>
|
|
|
2fc102 |
+ <listitem>
|
|
|
2fc102 |
+ <para>
|
|
|
2fc102 |
+ Starting the SSSD service
|
|
|
2fc102 |
+ </para>
|
|
|
2fc102 |
+ </listitem>
|
|
|
2fc102 |
+ </itemizedlist>
|
|
|
2fc102 |
+ Moreover, as the change of IDs might necessitate the adjustment
|
|
|
2fc102 |
+ of other system properties such as file and directory ownership,
|
|
|
2fc102 |
+ it's advisable to plan ahead and test the ID mapping configuration
|
|
|
2fc102 |
+ thoroughly.
|
|
|
2fc102 |
+ </para>
|
|
|
2fc102 |
|
|
|
2fc102 |
<refsect2 id='idmap_algorithm'>
|
|
|
2fc102 |
<title>Mapping Algorithm</title>
|
|
|
2fc102 |
--
|
|
|
2fc102 |
1.8.5.3
|
|
|
2fc102 |
|