LDAP PDB and IDMAP design and implemenation
Ronny Bremer
rbremer at future-gate.com
Wed Jun 18 12:29:24 GMT 2003
Andrew,
> The tricky bit is doing this atomically - particularly when the old
> entry was on an 'idmap only' entry, and the new one is on a user's
> existing DN.
I agree. I will also try to take a close look at this. As I said, more
research needs to be done on my end in order to come up with anything
:)
>> If you wanna modify existing entries (which I would strongly
suggest,
>> in order to remove redundancy and also to be compliant with
existing
>> LDAP tree designs) we should not count on being able to use the SID
as a
>> CN.
>
> I'm intending that this only be used for SIDs that we cannot find an
> existing DN to map onto.
Ok, but this might be hard for administrators to understand, or better,
to match those entries back to the real user. But, on the other hand, it
might be a good idea, because that clearly marks the entries as "samba
generated", and so the admin needs to take action in providing
additional information like unix attributes, etc and then rename the
object and place it into the right container.
So, I think yes, using the SID makes perfect sense here ...
Ronny
More information about the samba-technical
mailing list