Wrong usage of lp_idmap_backend() value?

Thu Jul 3 07:50:08 GMT 2003

On Thu, 2003-07-03 at 07:45, Stefan (metze) Metzmacher wrote:
> At 05:34 03.07.2003 +0000, Jeremy Allison wrote:
> >On Thu, Jul 03, 2003 at 07:31:16AM +0200, Stefan (metze) Metzmacher wrote:
> > > At 18:09 02.07.2003 +0000, Jeremy Allison wrote:
> > > >On Wed, Jul 02, 2003 at 07:16:30PM +0300, Alexander Bokovoy wrote:
> > > > > Greetings!
> > > > >
> > > > > In smbd/server.c we are supposed to use value of 'idmap backend' 
> > option to
> > > > > initialize idmap but code logic is different: it decides to override
> > > > > everything in 'idmap backend' by 'winbind' unless 'idmap backend' 
> > is empty
> > > > > in which case we supply NULL as argument to idmap_init().
> > > >
> > > >It's on purpose. smbd should only talk to winbindd as a
> > > >remote backend. winbindd can talk to the configured backends.
> > >
> > > This is very bad!
> > >
> > > I think it have to be possible to use
> > > passdb backend = ldapsam
> > > idmap backend = ldap
> > >
> > > without using winbind!!!
> > > (I'm using nss_ldap)
> >
> >The problem with this is it causes many smbd connections to
> >ldap and has been reported to overload ldap servers. Funelling
> >everything via winbindd prevents this problem.
> 
> Ok, this is a problem...

Well sorry, but, first of all, you're on the wrong route.
Running winbind doesn't mean you need necessarily to run nss_winbind or
pam_winbindd, or use only them.
You may continue to use nss_ldap or even nss_ldap+nss_winbind i think.

> I think we should let pdb_ldap and idmap_ldap
> register an idle event that close an idle connection.
> (time out 60 sec should ok here)

NO, it may add too big delays in smbd code imho, and really makes no
sense, winbind can maintain a single connection and answer all the
queries from smbd effectiely, think at winbindd as a proxy.

> because this connections are not often used
> because normal idmap lookups should be handle by the local tdb...

yes, most mapping will be dealt locally.

> and pdb_ldap is only used on connection startup
> and on using something like usrmgr.exe
> and the connection is only used for a view mins.
> 
> I think the following should be possible
> 
> idmap backend = ldap:ldaps://ldapserver.domain
> (means smbd directly used ldap as remote backend
> and winbind used also ldap as remote backend)
> 
> and
> idmap backend = winbind:ldap:ldaps://ldapserver.domain
> (means smbd used winbind as remote backend
> and winbind uses ldap as remote backend
> so smbd uses winbind as proxy for the ldap remote idmap backend)

NO, this makes the code a mess and it is really a waste of time.

I really think that makind winbind the ldap proxy is the right way to
go, even for pdb_ldap.

And also I do not understand why you should specify ldap parameters
twice, once for pdb and once for idmap.

You cannot use 2 different ldap servee for them.

I think we really should merge pdb_ldap and idmap_ldap code so that they
use the same parameters (except for idamp base dn perhaps), and make all
queries go through winbindd.

Simo.

-- 
Simo Sorce - simo.sorce at xsec.it
Xsec s.r.l. - http://www.xsec.it
via Durando 10 Ed. G - 20158 - Milano
mobile: +39 329 328 7702
tel. +39 02 2399 7130 - fax: +39 02 700 442 399
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030703/7baa0044/attachment.bin