Wrong usage of lp_idmap_backend() value?
Andrew Bartlett
abartlet at samba.org
Thu Jul 3 08:01:40 GMT 2003
On Thu, 2003-07-03 at 17:49, Simo Sorce wrote:
> On Thu, 2003-07-03 at 07:45, Stefan (metze) Metzmacher wrote:
> > At 05:34 03.07.2003 +0000, Jeremy Allison wrote:
> > >On Thu, Jul 03, 2003 at 07:31:16AM +0200, Stefan (metze) Metzmacher wrote:
> > > > At 18:09 02.07.2003 +0000, Jeremy Allison wrote:
> > > > >On Wed, Jul 02, 2003 at 07:16:30PM +0300, Alexander Bokovoy wrote:
> > > > > > Greetings!
> > > > > >
> > > > > > In smbd/server.c we are supposed to use value of 'idmap backend'
> > > option to
> > > > > > initialize idmap but code logic is different: it decides to override
> > > > > > everything in 'idmap backend' by 'winbind' unless 'idmap backend'
> > > is empty
> > > > > > in which case we supply NULL as argument to idmap_init().
> > > > >
> > > > >It's on purpose. smbd should only talk to winbindd as a
> > > > >remote backend. winbindd can talk to the configured backends.
> > > >
> > > > This is very bad!
> > > >
> > > > I think it have to be possible to use
> > > > passdb backend = ldapsam
> > > > idmap backend = ldap
> > > >
> > > > without using winbind!!!
> > > > (I'm using nss_ldap)
> > >
> > >The problem with this is it causes many smbd connections to
> > >ldap and has been reported to overload ldap servers. Funelling
> > >everything via winbindd prevents this problem.
> >
> > Ok, this is a problem...
>
> Well sorry, but, first of all, you're on the wrong route.
> Running winbind doesn't mean you need necessarily to run nss_winbind or
> pam_winbindd, or use only them.
> You may continue to use nss_ldap or even nss_ldap+nss_winbind i think.
>
> > I think we should let pdb_ldap and idmap_ldap
> > register an idle event that close an idle connection.
> > (time out 60 sec should ok here)
>
> NO, it may add too big delays in smbd code imho, and really makes no
> sense, winbind can maintain a single connection and answer all the
> queries from smbd effectiely, think at winbindd as a proxy.
This is a different matter - having an idle even for pdb_ldap is sane.
I'm not sure it should be 60 secs, but certainly we should do it after 5
mins or the like.
> > because this connections are not often used
> > because normal idmap lookups should be handle by the local tdb...
>
> yes, most mapping will be dealt locally.
>
> > and pdb_ldap is only used on connection startup
> > and on using something like usrmgr.exe
> > and the connection is only used for a view mins.
> >
> > I think the following should be possible
> >
> > idmap backend = ldap:ldaps://ldapserver.domain
> > (means smbd directly used ldap as remote backend
> > and winbind used also ldap as remote backend)
> >
> > and
> > idmap backend = winbind:ldap:ldaps://ldapserver.domain
> > (means smbd used winbind as remote backend
> > and winbind uses ldap as remote backend
> > so smbd uses winbind as proxy for the ldap remote idmap backend)
>
> NO, this makes the code a mess and it is really a waste of time.
>
> I really think that makind winbind the ldap proxy is the right way to
> go, even for pdb_ldap.
I'm not sure on this. I think that making winbind do everything just
searialises the entire server - and that just kills performance.
IDMAP is a different beast in this regard, due to the way it's mostly
read, and has a tdb cache.
> And also I do not understand why you should specify ldap parameters
> twice, once for pdb and once for idmap.
>
> You cannot use 2 different ldap servee for them.
>
> I think we really should merge pdb_ldap and idmap_ldap code so that they
> use the same parameters (except for idamp base dn perhaps), and make all
> queries go through winbindd.
The problem is that we want to run idmap_ldap without pdb_ldap (for
winbind distributed IDMAP).
But yes - we need a way to make this foolproof.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030703/c4dfb919/attachment.bin
More information about the samba-technical
mailing list