order of idmap backends

Andrew Bartlett abartlet at samba.org
Thu Jun 26 00:57:03 GMT 2003

On Thu, 2003-06-26 at 06:51, Jeremy Allison wrote:
> On Wed, Jun 25, 2003 at 10:39:14PM +0200, Stefan (metze) Metzmacher wrote:
> > At 20:32 25.06.2003 +0000, Jeremy Allison wrote:
> > >On Wed, Jun 25, 2003 at 10:24:06PM +0200, Stefan (metze) Metzmacher wrote:
> > > > Hi Jeremy,
> > > >
> > > > why did you change DLIST_ADD() to DLIST_ADD_END() ?
> > > >
> > > > in smb_register_idmap()
> > > >
> > > > why is the order important?
> > > >
> > > > we should have this in sync with the other smb_register_*() functions!!!
> > >
> > >Because I thought the order was important. It *should* be !
> > >This is very broken right now....
> > 
> > I think it's not impartant and also should not be important!!!
> > (we just search in a linked list and it doesn't matter on which position 
> > and list element is!)
> > 
> > and I can't see were it's broken.
> Because smbd should be asking winbind, not doing anything directly
> in idmap. winbind should be looking in the tdb, with ldap as a remote
> backend.
> This code has been written to be generic, when it *ISN'T* generic.
> The is and should be an ordering in this.
> Don't worry, Jerry and I are going to fix this....

The way I was going to deal with this was the same way we deal with the
'auth_winbind' code.

I was going to make the default idmap backend work like this:

idmap backend = idmap_winbind:idmap_tdb

Where idmap_winbind would know it was in winbind and just pass all
operations on to idmap_tdb.  

Likewise, smbd would call idmap_winbind, and if winbind isn't there, it
would contact idmap_tdb directly.

This means that only winbindd is allocating in the TDB, and can use it's
knowledge of 'it really is a group/user' until we work out a scheme
where we can do without this knowledge.

Naturally, this also means that for the default setup, we should not
have a problem with 1-connection-per-smbd to the remote ldap server. 
The ability to 'set' an IDMAP mapping can also occur on the winbind
pipe, protected by the 'winbind priv pipe' system.

How does this sound?

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030626/1faac745/attachment.bin

More information about the samba-technical mailing list