[PATCH] LDAP cleanup.

Ronny Bremer rbremer at future-gate.com
Thu Jul 3 10:47:32 GMT 2003


Good stuff, I will check it out tomorrow.

Ronny


>>> Andrew Bartlett <abartlet at samba.org> 03.07.2003 12:39:24 >>>
This patch cleans up some of our ldap code, for better behaviour:

We now always read the Domain SID out of LDAP.  If the local
secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP.   We also
store the 'algorithmic rid base' into LDAP, and assert if it changes. 
(This ensures cross-host synchronisation, and allows for possible
integration with idmap).

We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available.  This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a
UID
added.  Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN. 

The allocated UID code has been expanded to take into account the
space
between '1000 - algorithmic rid base'.  This much better fits into
what
an NT4 does - allocating in the bottom part of the RID range.  

On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.

We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate.  Instead, we just start at the
bottom
of the range, and increment again if the user already exists.  The
first
time this is run, it may well take a long time, but next time will
just
be able to use the next Rid.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au 
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org 
Student Network Administrator, Hawker College   abartlet at hawkerc.net 
http://samba.org     http://build.samba.org     http://hawkerc.net



More information about the samba-technical mailing list