objectSid does not seem to work in expression

[giggls]

I tried to set up something like this:

map passwd gidNumber "${gidNumber:-$objectSid:S-1-5-21-3623811015-3361044348-30300820}"

Unfortunately this does not seem to work.

The Idea would have been to use a sid derived primary group id only if the gidNumber attribute is not set.

I have no idea if this is supposed to work.

[giggls]

OK i finally had a look into the code and found out that it is not supposed to work.

Now I try to develop a patch which already works for group-id-numbers.

However I struggle to understand the rationale behind MAXUIDS_PER_ENTRY.

Up till now I though that a unix userid is something unique thus only one ID per entry should be allowed.

I was unable to get more than one entry in my setup anyway so I will likely be unable to test this.

Would be nice if you could enlighten me.

[arthurdejong]

Thanks for looking into this. The problem with objectSid is that it is not mixed with normal attribute expansion. The passwd gidNumber would probably be the only case where this could be made to work (the other attributes where objectSid can be used don't support attribute mapping).

Regarding MAXUIDS_PER_ENTRY: In normal cases the username and uid are unique within a system but there are plenty of situations where two users have the same numeric uid. The other case, where two users exist with the same name and different numeric uid also can exist. A lot of tools probably don't handle these situations all too gracefully but I've seen a few systems that use these kind of configurations. Since in LDAP any attribute in theory can have multiple values this can also be easily configured.

For most other attributes nslcd just takes the first value that is returned by the LDAP server but for username and uid it returns one user entry for each attribute value.