LDAP PDB and IDMAP design and implemenation

Steve Langasek vorlon at netexpress.net
Fri Jun 20 16:02:40 GMT 2003

On Tue, Jun 17, 2003 at 10:03:15PM +1000, Andrew Bartlett wrote:

> Finally, (and more controversially) I would suggest that we change the
> way the idmap entires are store in LDAP to use the DOMAIN SID as the DN
> component, not the unix userid.

> Generally in idmap, it is the Domain SID that is the descriptive aspect
> of the entry, and there is a proposal to have such a domain sid map to
> both a unix UID and a unix GID.  Even if this is never taken up, it
> would seem to be better to allow for this change now, rather than
> figuring it out later.

> This would make the DN:

> sambaSID=S-1-5-21-4117985702-3860941512-23890400-512,ou=idmap,dc=bartlett,dc=house.

That's a pretty ugly DN. :)  Why would it ever be useful to try to map a
single SID to both a uid and a gid?

Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20030620/8ecf6bc1/attachment.bin

More information about the samba-technical mailing list