LDAP PDB and IDMAP design and implemenation

Andrew Bartlett abartlet at samba.org
Tue Jun 17 12:03:52 GMT 2003 

I'm a bit concerned about the current behavior of our new LDAP PDB and
IDMAP.

In particular, it seems rather limited in what it can do - we seem
unable to modify an existing mapping, and we do not pay correct
attention to existing entries in LDAP when we do!

Also, we seem to have changed rather drasticly the way that all the
'ldap suffix' parameters behave.  

May I propose this as a new design:

 - All searches occour under the 'ldap suffix'.  

 - All new user entries are added under the 'ldap user suffix'
 - All new machines entires are added under the 'ldap machine suffix'
 and so for groups, idmap and machines.  

This serves the original purpose of the patch, which is to allow
administrators to keep a 'clean' directory, even when just using samba
to maintain it.

Currently we have inconstant behaviour between Samba's user/machine
accounts and samba's groups/idmap.

 - Allow modification of idmap entires
 - Wherever possible, annotate existing DNs when adding idmap entires,
rather than adding new entries under the 'idmap suffix'.  
   - This should means that if the user has a unix account, we put the
sambaSid on that entry, rather than a new DN.  Things should then work
quite well if the user gets a sambaSamAccount on that DN later.
   - Likewise for a sambaSamAccount without a UID yet - it should have
the uid stored on the same DN, for ease of tracking - this will mean
that with the easily scripted addition of required unix attributes, the
entry will be ready for use with nss_ldap (I expect this to be a common
configuration).

My worry is that the current code encourages duplication of information,
as the idmap entries are likely to become duplicates of the data kept on
their main DN.

Finally, (and more controversially) I would suggest that we change the
way the idmap entires are store in LDAP to use the DOMAIN SID as the DN
component, not the unix userid.

Generally in idmap, it is the Domain SID that is the descriptive aspect
of the entry, and there is a proposal to have such a domain sid map to
both a unix UID and a unix GID.  Even if this is never taken up, it
would seem to be better to allow for this change now, rather than
figuring it out later.

This would make the DN:

sambaSID=S-1-5-21-4117985702-3860941512-23890400-512,ou=idmap,dc=bartlett,dc=house.

Andrew Bartlett
-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030617/5d04588d/attachment.bin

More information about the samba-technical mailing list