Add support for setting uidNumber for machine accounts
This MR adds support for assigning uidNumber
to computer (machine) accounts. The purpose of this is to make computer accounts visible to winbind when configured with idmap_ad
which requires that "users" (in this case computers) have uidNumber
assigned, and also that their primary group have gidNumber
assigned.
I considered just relaxing the existing filter, particularly removing (objectCategory=Person)
and simply including computers as "users". However, I ultimately elected to keep "users" to mean "Persons" and added "computers" as a separate entity.
Additionally, this changes the assignment logic to no longer exclude the following groups when assigning gidNumber
, as these may be the primary group of a computer:
Domain Computers
Domain Controllers
Enterprise Read-only Domain Controllers
Read-only Domain Controllers
The following changes to the CLI were made:
- Added
computer list
command to list computer accounts - Added
computer assign
command to assignuidNumber
/gidNumber
attributes to computer accounts - Updated
assignids
command to include computers - Updated
clearids
command to include computers
This also adds the id_assign.computers
boolean config option which defaults to True
and determines whether the computer id assignment happens as part of the allmaint
command. It also controls whether "computer groups" are assigned by the group assign
command. Setting this option to False
effectively retains the logic prior to this MR.
Closes #13 (closed)