Wrong usage of lp_idmap_backend() value?

Stefan (metze) Metzmacher metze at metzemix.de
Thu Jul 3 05:45:21 GMT 2003


At 05:34 03.07.2003 +0000, Jeremy Allison wrote:
>On Thu, Jul 03, 2003 at 07:31:16AM +0200, Stefan (metze) Metzmacher wrote:
> > At 18:09 02.07.2003 +0000, Jeremy Allison wrote:
> > >On Wed, Jul 02, 2003 at 07:16:30PM +0300, Alexander Bokovoy wrote:
> > > > Greetings!
> > > >
> > > > In smbd/server.c we are supposed to use value of 'idmap backend' 
> option to
> > > > initialize idmap but code logic is different: it decides to override
> > > > everything in 'idmap backend' by 'winbind' unless 'idmap backend' 
> is empty
> > > > in which case we supply NULL as argument to idmap_init().
> > >
> > >It's on purpose. smbd should only talk to winbindd as a
> > >remote backend. winbindd can talk to the configured backends.
> >
> > This is very bad!
> >
> > I think it have to be possible to use
> > passdb backend = ldapsam
> > idmap backend = ldap
> >
> > without using winbind!!!
> > (I'm using nss_ldap)
>
>The problem with this is it causes many smbd connections to
>ldap and has been reported to overload ldap servers. Funelling
>everything via winbindd prevents this problem.

Ok, this is a problem...

I think we should let pdb_ldap and idmap_ldap
register an idle event that close an idle connection.
(time out 60 sec should ok here)
because this connections are not often used
because normal idmap lookups should be handle by the local tdb...

and pdb_ldap is only used on connection startup
and on using something like usrmgr.exe
and the connection is only used for a view mins.

I think the following should be possible

idmap backend = ldap:ldaps://ldapserver.domain
(means smbd directly used ldap as remote backend
and winbind used also ldap as remote backend)

and
idmap backend = winbind:ldap:ldaps://ldapserver.domain
(means smbd used winbind as remote backend
and winbind uses ldap as remote backend
so smbd uses winbind as proxy for the ldap remote idmap backend)



metze
-----------------------------------------------------------------------------
Stefan "metze" Metzmacher <metze at metzemix.de> 




More information about the samba-technical mailing list