LDAP PDB and IDMAP design and implemenation

Andrew Bartlett abartlet at samba.org
Wed Jun 18 11:01:42 GMT 2003

On Wed, 2003-06-18 at 20:39, Ronny Bremer wrote:
> >In particular, it seems rather limited in what it can do - we seem
> >unable to modify an existing mapping, and we do not pay correct
> >attention to existing entries in LDAP when we do!
> We also need to think about people with an already deployed LDAP
> directory to add Samba to it. In that case, UID's might already exist,
> as they are used for Linux/Unix access of those DN's, so the required
> posixAccount attributes are filled.

This is my primary motivation of my proposal.

> >  - All new user entries are added under the 'ldap user suffix'
> >  - All new machines entires are added under the 'ldap machine
> suffix'
> >  and so for groups, idmap and machines.
> Maybe we should also provide a way to restrict Samba from adding to the
> LDAP store. Some LDAP administrators are worried about adding account
> through Samba, as there is no way to place them correctly into the LDAP
> tree. They can, of course, move the user afterwards, but in many cases
> they like to control who goes where in the first place.
> >  - Allow modification of idmap entires
> I need to do more research here.

The tricky bit is doing this atomically - particularly when the old
entry was on an 'idmap only' entry, and the new one is on a user's
existing DN.

> >  - Wherever possible, annotate existing DNs when adding idmap
> entires,
> >rather than adding new entries under the 'idmap suffix'.
> This seems to conflict with your suggestion of using the Domain SID as
> the CN (see below).
> Usually, users are created in LDAP with their "login id" as the cn, so
> it gets mapped to "uid" for Unix/Linux login purposes. There are
> differences, however. Many ADS administrator use the Full user Name as
> the CN, so it shows up in their User/Group Management tool in a more
> descriptve way.
> If you wanna modify existing entries (which I would strongly suggest,
> in order to remove redundancy and also to be compliant with existing
> LDAP tree designs) we should not count on being able to use the SID as a
> CN.

I'm intending that this only be used for SIDs that we cannot find an
existing DN to map onto.

> Just my 2 cents.

Thank you very much for your comments,

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030618/1dab3393/attachment.bin

More information about the samba-technical mailing list