LDAP PDB and IDMAP design and implemenation
Andrew Bartlett
abartlet at samba.org
Sat Jun 21 00:20:11 GMT 2003
On Sat, 2003-06-21 at 02:02, Steve Langasek wrote:
> On Tue, Jun 17, 2003 at 10:03:15PM +1000, Andrew Bartlett wrote:
>
> > Finally, (and more controversially) I would suggest that we change the
> > way the idmap entires are store in LDAP to use the DOMAIN SID as the DN
> > component, not the unix userid.
>
> > Generally in idmap, it is the Domain SID that is the descriptive aspect
> > of the entry, and there is a proposal to have such a domain sid map to
> > both a unix UID and a unix GID. Even if this is never taken up, it
> > would seem to be better to allow for this change now, rather than
> > figuring it out later.
>
> > This would make the DN:
>
> > sambaSID=S-1-5-21-4117985702-3860941512-23890400-512,ou=idmap,dc=bartlett,dc=house.
>
> That's a pretty ugly DN. :) Why would it ever be useful to try to map a
> single SID to both a uid and a gid?
This is arguable - but I'm convinced that we want to allow that
direction in the future, possibly :-).
Also, I think that for the most part, the 'controlling entity' in
sid<->uid/gid mappings is the SID - the uids are the allocated part, so
I think it makes sense from that direction too.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030621/fc252b4e/attachment.bin
More information about the samba-technical
mailing list