LDAP PDB and IDMAP design and implemenation

Andrew Bartlett abartlet at samba.org
Sat Jun 21 00:20:11 GMT 2003

On Sat, 2003-06-21 at 02:02, Steve Langasek wrote:
> On Tue, Jun 17, 2003 at 10:03:15PM +1000, Andrew Bartlett wrote:
> > Finally, (and more controversially) I would suggest that we change the
> > way the idmap entires are store in LDAP to use the DOMAIN SID as the DN
> > component, not the unix userid.
> > Generally in idmap, it is the Domain SID that is the descriptive aspect
> > of the entry, and there is a proposal to have such a domain sid map to
> > both a unix UID and a unix GID.  Even if this is never taken up, it
> > would seem to be better to allow for this change now, rather than
> > figuring it out later.
> > This would make the DN:
> > sambaSID=S-1-5-21-4117985702-3860941512-23890400-512,ou=idmap,dc=bartlett,dc=house.
> That's a pretty ugly DN. :)  Why would it ever be useful to try to map a
> single SID to both a uid and a gid?

This is arguable - but I'm convinced that we want to allow that
direction in the future, possibly :-). 

Also, I think that for the most part, the 'controlling entity' in
sid<->uid/gid mappings is the SID - the uids are the allocated part, so
I think it makes sense from that direction too.

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030621/fc252b4e/attachment.bin

More information about the samba-technical mailing list