LDAP PDB and IDMAP design and implemenation
Andrew Bartlett
abartlet at samba.org
Wed Jun 18 11:01:42 GMT 2003
On Wed, 2003-06-18 at 20:39, Ronny Bremer wrote:
> >In particular, it seems rather limited in what it can do - we seem
> >unable to modify an existing mapping, and we do not pay correct
> >attention to existing entries in LDAP when we do!
>
> We also need to think about people with an already deployed LDAP
> directory to add Samba to it. In that case, UID's might already exist,
> as they are used for Linux/Unix access of those DN's, so the required
> posixAccount attributes are filled.
This is my primary motivation of my proposal.
> > - All new user entries are added under the 'ldap user suffix'
> > - All new machines entires are added under the 'ldap machine
> suffix'
> > and so for groups, idmap and machines.
>
> Maybe we should also provide a way to restrict Samba from adding to the
> LDAP store. Some LDAP administrators are worried about adding account
> through Samba, as there is no way to place them correctly into the LDAP
> tree. They can, of course, move the user afterwards, but in many cases
> they like to control who goes where in the first place.
>
> > - Allow modification of idmap entires
>
> I need to do more research here.
The tricky bit is doing this atomically - particularly when the old
entry was on an 'idmap only' entry, and the new one is on a user's
existing DN.
> > - Wherever possible, annotate existing DNs when adding idmap
> entires,
> >rather than adding new entries under the 'idmap suffix'.
>
> This seems to conflict with your suggestion of using the Domain SID as
> the CN (see below).
> Usually, users are created in LDAP with their "login id" as the cn, so
> it gets mapped to "uid" for Unix/Linux login purposes. There are
> differences, however. Many ADS administrator use the Full user Name as
> the CN, so it shows up in their User/Group Management tool in a more
> descriptve way.
>
> If you wanna modify existing entries (which I would strongly suggest,
> in order to remove redundancy and also to be compliant with existing
> LDAP tree designs) we should not count on being able to use the SID as a
> CN.
I'm intending that this only be used for SIDs that we cannot find an
existing DN to map onto.
> Just my 2 cents.
Thank you very much for your comments,
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030618/1dab3393/attachment.bin
More information about the samba-technical
mailing list