Commit my stuff to 3.0?

Simo Sorce simo.sorce at xsec.it
Sun Oct 13 13:21:00 GMT 2002 

On Sun, 2002-10-13 at 14:58, Andrew Bartlett wrote:
> Simo Sorce wrote:
> > Isn't idmap the right place to go?
> 
> I think so.  And I think we can construct one that makes sense for
> admins.  For example, we could contstruct an LDAP based one that uses
> the uidNumber on the user's LDAP record.  

I would only ask you to take in account we must have a generalized way
to do it that does not rely on ldap, but can use different methods.

> We might end up doing this via the passdb interface (despite the fact I
> was really hoping to move unix stuff out of there) becouse I found the
> performance issues surrounding the current stuff to be problematic.  :-(

can you explain, this phrasing is criptic to me.

> Whatever we do, uid->sid and sid->uid needs to be a single lookup. 

you mean we have to be sure we do a single query to idmap? or something
else?

> idra:  you proposed (and even added) these to the passdb API a little
> while back.  Do you think that's still a viable solution?  If we
> implement the 'ldap trust uids' thing (stops Get_Pwnam() inside ldap)
> then this would certainly scale much better than existing code.

Well as I said before we should make a generalized api, and not to be
forced to use ldap.

About trusting the storage I see no problems, in the case of ldap you
may use it as idmap storage and implicitly trust it. But user account
lookup is a minor issue imho, I do not mind if 2 calls are made (one to
retrieve the account and one to retrieve the mapping), if you can
optimize, then better for you.
What we stress idmap with is really file system acces check and ACL
handling, so it need to be *fast* (and I'm not sure ldap is the right
place for that in this regard).

I would like to use an internal tdb to do that, the fact that the api
currently have the uid->sid dis->uid call is because at time we had
alghorithmic rid mapping and in the move towards free sid mapping it was
an easy place to do so (and make you easy to "optimize" things with
ldap). However in case of ldap, I would like to see a different approach
for speed, I woul like to see a way to use the tdb to read mappings, and
a slow path in case we set a new mapping and have ldap, in this case we
may set the map in ldap, and then cache it again in tdb to handle
retrievals, so that only writes are slow.

But to use ldap as a central storage you have to solve how to handle
foreign or builtin/special SIDs!

Simo.

-- 
Simo Sorce - simo.sorce at xsec.it
Xsec s.r.l.
via Durando 10 Ed. G - 20158 - Milano
tel. +39 02 2399 7130 - fax: +39 02 700 442 399
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20021013/349fade5/attachment.bin

More information about the samba-technical mailing list