LDAP PDB and IDMAP design and implemenation

Stefan (metze) Metzmacher metze at metzemix.de
Tue Jun 17 12:10:54 GMT 2003

At 22:03 17.06.2003 +1000, Andrew Bartlett wrote:
>I'm a bit concerned about the current behavior of our new LDAP PDB and
>In particular, it seems rather limited in what it can do - we seem
>unable to modify an existing mapping, and we do not pay correct
>attention to existing entries in LDAP when we do!
>Also, we seem to have changed rather drasticly the way that all the
>'ldap suffix' parameters behave.
>May I propose this as a new design:
>  - All searches occour under the 'ldap suffix'.
>  - All new user entries are added under the 'ldap user suffix'
>  - All new machines entires are added under the 'ldap machine suffix'
>  and so for groups, idmap and machines.
>This serves the original purpose of the patch, which is to allow
>administrators to keep a 'clean' directory, even when just using samba
>to maintain it.
>Currently we have inconstant behaviour between Samba's user/machine
>accounts and samba's groups/idmap.
>  - Allow modification of idmap entires
>  - Wherever possible, annotate existing DNs when adding idmap entires,
>rather than adding new entries under the 'idmap suffix'.
>    - This should means that if the user has a unix account, we put the
>sambaSid on that entry, rather than a new DN.  Things should then work
>quite well if the user gets a sambaSamAccount on that DN later.
>    - Likewise for a sambaSamAccount without a UID yet - it should have
>the uid stored on the same DN, for ease of tracking - this will mean
>that with the easily scripted addition of required unix attributes, the
>entry will be ready for use with nss_ldap (I expect this to be a common
>My worry is that the current code encourages duplication of information,
>as the idmap entries are likely to become duplicates of the data kept on
>their main DN.
>Finally, (and more controversially) I would suggest that we change the
>way the idmap entires are store in LDAP to use the DOMAIN SID as the DN
>component, not the unix userid.
>Generally in idmap, it is the Domain SID that is the descriptive aspect
>of the entry, and there is a proposal to have such a domain sid map to
>both a unix UID and a unix GID.  Even if this is never taken up, it
>would seem to be better to allow for this change now, rather than
>figuring it out later.
>This would make the DN:

I'm fine with that :-)

Stefan "metze" Metzmacher <metze at metzemix.de> 

More information about the samba-technical mailing list