Wrong usage of lp_idmap_backend() value?
Stefan (metze) Metzmacher
metze at metzemix.de
Thu Jul 3 08:10:28 GMT 2003
At 09:49 03.07.2003 +0200, Simo Sorce wrote:
>On Thu, 2003-07-03 at 07:45, Stefan (metze) Metzmacher wrote:
> > At 05:34 03.07.2003 +0000, Jeremy Allison wrote:
> > >On Thu, Jul 03, 2003 at 07:31:16AM +0200, Stefan (metze) Metzmacher wrote:
> > > > At 18:09 02.07.2003 +0000, Jeremy Allison wrote:
> > > > >On Wed, Jul 02, 2003 at 07:16:30PM +0300, Alexander Bokovoy wrote:
> > > > > > Greetings!
> > > > > >
> > > > > > In smbd/server.c we are supposed to use value of 'idmap backend'
> > > option to
> > > > > > initialize idmap but code logic is different: it decides to
> > > > > > everything in 'idmap backend' by 'winbind' unless 'idmap backend'
> > > is empty
> > > > > > in which case we supply NULL as argument to idmap_init().
> > > > >
> > > > >It's on purpose. smbd should only talk to winbindd as a
> > > > >remote backend. winbindd can talk to the configured backends.
> > > >
> > > > This is very bad!
> > > >
> > > > I think it have to be possible to use
> > > > passdb backend = ldapsam
> > > > idmap backend = ldap
> > > >
> > > > without using winbind!!!
> > > > (I'm using nss_ldap)
> > >
> > >The problem with this is it causes many smbd connections to
> > >ldap and has been reported to overload ldap servers. Funelling
> > >everything via winbindd prevents this problem.
> > Ok, this is a problem...
>Well sorry, but, first of all, you're on the wrong route.
>Running winbind doesn't mean you need necessarily to run nss_winbind or
>pam_winbindd, or use only them.
>You may continue to use nss_ldap or even nss_ldap+nss_winbind i think.
> > I think we should let pdb_ldap and idmap_ldap
> > register an idle event that close an idle connection.
> > (time out 60 sec should ok here)
>NO, it may add too big delays in smbd code imho, and really makes no
>sense, winbind can maintain a single connection and answer all the
>queries from smbd effectiely, think at winbindd as a proxy.
for winbind we didn't need it
but for smbd
> > because this connections are not often used
> > because normal idmap lookups should be handle by the local tdb...
>yes, most mapping will be dealt locally.
> > and pdb_ldap is only used on connection startup
> > and on using something like usrmgr.exe
> > and the connection is only used for a view mins.
> > I think the following should be possible
> > idmap backend = ldap:ldaps://ldapserver.domain
> > (means smbd directly used ldap as remote backend
> > and winbind used also ldap as remote backend)
> > and
> > idmap backend = winbind:ldap:ldaps://ldapserver.domain
> > (means smbd used winbind as remote backend
> > and winbind uses ldap as remote backend
> > so smbd uses winbind as proxy for the ldap remote idmap backend)
>NO, this makes the code a mess and it is really a waste of time.
>I really think that makind winbind the ldap proxy is the right way to
>go, even for pdb_ldap.
I think winbind idmap should be our local idmap then...
I'm not sure for pdb_ldap here...
>And also I do not understand why you should specify ldap parameters
>twice, once for pdb and once for idmap.
>You cannot use 2 different ldap servee for them.
yep, I would love to have
'ldap server = ldaps://server.domain/'
as parameter for this again...
and not ldapsam:ldaps://server.domain
>I think we really should merge pdb_ldap and idmap_ldap code so that they
>use the same parameters (except for idamp base dn perhaps), and make all
>queries go through winbindd.
I think we should think about multithreading winbindd then...
Stefan "metze" Metzmacher <metze at metzemix.de>
More information about the samba-technical