make 'ldap trust ids' the default?

Andrew Bartlett abartlet at samba.org
Sat Nov 2 08:24:00 GMT 2002


Jean Francois Micouleau wrote:
> 
> On Sat, 2 Nov 2002, Andrew Bartlett wrote:
> 
> > I've just committed a patch that adds a new 'ldap trust ids' smb.conf
> > option.
> >
> > Currently defaulting to off, this option allows pdb_ldap to use the ldap
> > server directly to determine if a user 'exists' in unix.
> >
> > This gives us a performance boost, particularly on enumerations:
> > (Removes the extra lookup per record).
> >
> > The logic is such that if there are no posixAccount attributes for a
> > user, we try getpwnam(), it's just that we look in LDAP first.
> >
> > As such, do people think we should have this by default?
> 
> NO !
> 
> > This was a fix to solve some particular problems that metze had, and
> > I'll see if I can get some feedback on exactly how much this helps.
> 
> and what's next ? Can I commit an ugly hack i'm using 'cause SCO
> openserver doesn't support username longer than 8 chars ?

The abstractions currently in place would allow such a thing, if you
felt that it was required.

> can't we also add a "don't check unix security at all" smb.conf parameter
> that default to yes ?

We are looking at the whole 'unix secruity db dependence' issue with the
new SAM, which I beleive is the correct long-term fix to these issues.  

Seriously, this option was added becouse usrmgr was timing out on large
domains, and doing a *per record* getpwnam() was costing us
significantly.  The reason I ask the list is so that I can get sombody
else's eye over the idea, and I thank you for that.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net



More information about the samba-technical mailing list