2N/A<
refsect1 id='idmap'>
2N/A <
title>ID MAPPING</
title>
2N/A The ID-mapping feature allows SSSD to act as a client of Active
2N/A Directory without requiring administrators to extend user attributes
2N/A to support POSIX attributes for user and group identifiers.
2N/A NOTE: When ID-mapping is enabled, the uidNumber and gidNumber
2N/A attributes are ignored. This is to avoid the possibility of conflicts
2N/A between automatically-assigned and manually-assigned values. If you
2N/A need to use manually-assigned values, ALL values must be
2N/A <
refsect2 id='idmap_algorithm'>
2N/A <
title>Mapping Algorithm</
title>
2N/A Active Directory provides an objectSID for every user and group
2N/A object in the directory. This objectSID can be broken up into
58N/A components that represent the Active Directory domain identity and
2N/A the relative identifier (RID) of the user or group object.
32N/A The SSSD ID-mapping algorithm takes a range of available UIDs and
2N/A divides it into equally-sized component sections - called
2N/A "slices"-. Each slice represents the space available to an Active
38N/A When a user or group entry for a particular domain is encountered
29N/A for the first time, the SSSD allocates one of the available slices
93N/A for that domain. In order to make this slice-assignment repeatable
29N/A on different client machines, we select the slice based on the
29N/A following algorithm:
29N/A The SID string is passed through the murmurhash3 algorithm to
26N/A convert it to a 32-bit hashed value. We then take the modulus of
2N/A this value with the total number of available slices to pick the
2N/A NOTE: It is possible to encounter collisions in the hash and
58N/A subsequent modulus. In these situations, we will select the next
2N/A available slice, but it may not be possible to reproduce the same
2N/A exact set of slices on other machines (since the order that they
34N/A are encountered will determine their slice). In this situation, it
34N/A is recommended to either switch to using explicit POSIX attributes
34N/A in Active Directory (disabling ID-mapping) or configure a default
34N/A domain to guarantee that at least one is always consistent. See
49N/A <
quote>Configuration</
quote> for details.
34N/A <
refsect2 id='idmap_config'>
94N/A <
title>Configuration</
title>
59N/Aldap_id_mapping = True
61N/A The default configuration results in configuring 10,000 slices,
61N/A each capable of holding up to 200,000 IDs, starting from 10,001
61N/A and going up to 2,000,100,000. This should be sufficient for
61N/A <
refsect3 id='idmap_advanced_config'>
61N/A <
title>Advanced Configuration</
title>
85N/A <
term>ldap_idmap_range_min (integer)</
term>
61N/A Specifies the lower bound of the range of POSIX IDs to
61N/A use for mapping Active Directory user and group SIDs.
61N/A NOTE: This option is different from
61N/A <
quote>id_mn</
quote> in that <
quote>id_min</
quote>
61N/A acts to filter the output of requests to this domain,
61N/A whereas this option controls the range of ID
43N/A assignment. This is a subtle distinction, but the
43N/A good general advice would be to have
64N/A <
quote>id_min</
quote> be less-than or equal to
64N/A <
quote>ldap_idmap_range_min</
quote>
64N/A <
term>ldap_idmap_range_max (integer)</
term>
64N/A Specifies the upper bound of the range of POSIX IDs to
64N/A use for mapping Active Directory user and group SIDs.
64N/A NOTE: This option is different from
43N/A <
quote>id_max</
quote> in that <
quote>id_max</
quote>
16N/A acts to filter the output of requests to this domain,
16N/A whereas this option controls the range of ID
16N/A assignment. This is a subtle distinction, but the
34N/A good general advice would be to have
34N/A <
quote>id_max</
quote> be greater-than or equal to
16N/A <
quote>ldap_idmap_range_max</
quote>
12N/A Default: 2000100000
12N/A <
term>ldap_idmap_range_size (integer)</
term>
12N/A Specifies the number of IDs available for each slice.
12N/A If the range size does not divide evenly into the min
61N/A and max values, it will create as many complete slices
12N/A <
term>ldap_idmap_default_domain_sid (string)</
term>
99N/A Specify the domain SID of the default domain. This
99N/A will guarantee that this domain will always be
99N/A assigned to slice zero in the ID map, bypassing
40N/A the murmurhash algorithm described above.
99N/A <
term>ldap_idmap_default_domain (string)</
term>
99N/A Specify the name of the default domain.
2N/A <
term>ldap_idmap_autorid_compat (boolean)</
term>
2N/A Changes the behavior of the ID-mapping algorithm
61N/A to behave more similarly to winbind's
61N/A <
quote>idmap_autorid</
quote> algorithm.
61N/A When this option is configured, domains will be
16N/A allocated starting with slice zero and increasing
16N/A monatomically with each additional domain.
2N/A NOTE: This algorithm is non-deterministic (it
2N/A depends on the order that users and groups are
2N/A requested). If this mode is required for
2N/A compatibility with machines running winbind, it
2N/A is recommended to also use the
2N/A <
quote>ldap_idmap_default_domain_sid</
quote>
82N/A option to guarantee that at least one domain is
99N/A consistently allocated to slice zero.