make 'ldap trust ids' the default?
Andrew Bartlett
abartlet at samba.org
Sat Nov 2 08:24:00 GMT 2002
Jean Francois Micouleau wrote:
>
> On Sat, 2 Nov 2002, Andrew Bartlett wrote:
>
> > I've just committed a patch that adds a new 'ldap trust ids' smb.conf
> > option.
> >
> > Currently defaulting to off, this option allows pdb_ldap to use the ldap
> > server directly to determine if a user 'exists' in unix.
> >
> > This gives us a performance boost, particularly on enumerations:
> > (Removes the extra lookup per record).
> >
> > The logic is such that if there are no posixAccount attributes for a
> > user, we try getpwnam(), it's just that we look in LDAP first.
> >
> > As such, do people think we should have this by default?
>
> NO !
>
> > This was a fix to solve some particular problems that metze had, and
> > I'll see if I can get some feedback on exactly how much this helps.
>
> and what's next ? Can I commit an ugly hack i'm using 'cause SCO
> openserver doesn't support username longer than 8 chars ?
The abstractions currently in place would allow such a thing, if you
felt that it was required.
> can't we also add a "don't check unix security at all" smb.conf parameter
> that default to yes ?
We are looking at the whole 'unix secruity db dependence' issue with the
new SAM, which I beleive is the correct long-term fix to these issues.
Seriously, this option was added becouse usrmgr was timing out on large
domains, and doing a *per record* getpwnam() was costing us
significantly. The reason I ask the list is so that I can get sombody
else's eye over the idea, and I thank you for that.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba-technical
mailing list