Atomic RID allocation in LDAP

Andrew Bartlett abartlet at
Sat Oct 12 09:18:01 GMT 2002

I've been thinking about the problem of allocating RIDs in LDAP.

We need a race-proof scheme to allocate RIDs, and I would prefer not to
need to use a local TDB  - I would like it all 'in ldap', if at all

While the real solution is an LDAP server that imposes restrictions on
attributes (like uniqueness constraints), we will have to settle for
what we have...

Could we use LDAP DNs for this purpose?  An LDAP distinguished name must
be unique - so why don't we have a separate 'allocation suffix'

so cn=rids,dc=example,dc=com would contain:



A program wanting to allocate a RID would first read nextRid, and
attempt to add that RID.  If it succeeds, it updates nextRID.  If it
fails, it re-reads nextRid, and if unchanged adds 1 to the RID, and
tries again.

While this generates a lot of DNs, I think it gives us a unique way to
allocate these...  (Which is much better than the racy stuff we have

It's also a relitivly simple scheme, so we have a fighting chance that
external LDAP admin tools might use this too, when adding Samba


Andrew Bartlett
Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at

More information about the samba-technical mailing list