make 'ldap trust ids' the default?

Steve Langasek vorlon at
Mon Nov 4 05:28:00 GMT 2002

On Sat, Nov 02, 2002 at 06:36:47PM +1100, Andrew Bartlett wrote:
> I've just committed a patch that adds a new 'ldap trust ids' smb.conf
> option.

> Currently defaulting to off, this option allows pdb_ldap to use the ldap
> server directly to determine if a user 'exists' in unix.

> This gives us a performance boost, particularly on enumerations: 
> (Removes the extra lookup per record).  

> The logic is such that if there are no posixAccount attributes for a
> user, we try getpwnam(), it's just that we look in LDAP first.

> As such, do people think we should have this by default?  

> This was a fix to solve some particular problems that metze had, and
> I'll see if I can get some feedback on exactly how much this helps.

This seems terribly kludgy to me.  There's a lot that can be done to
optimize unix username lookups without violating the abstraction (e.g.,
nscd).  I particularly don't think this should be used for anything that
involves *enumerating* users, as the most frequent NSS configuration
involving LDAP is to reference both LDAP *and* local files; so
enumerating via the Unix calls may give different results than doing so
via the LDAP calls.

Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :

More information about the samba-technical mailing list