Meaning of 'idmap backend' ?

Simo Sorce simo.sorce at
Mon Jun 30 15:56:47 GMT 2003

On Mon, 2003-06-30 at 17:18, Volker Lendecke wrote:
> Hi!
> In trying to understand the IDMAP, the concept of a remote IDMAP
> somewhat puzzles me, at least as far as it is coded and commented:
> Who is authoritative for mappings? Is it the local (or cache or
> whatever) map? If this is the case then I don't see how the BDC
> situation is decently handled. Simo, you had confirmed that you took
> care of that decently.

The idea is that if you have a remote mapping, then that is the
authoritative one.
The remote mapping maybe a centralized idmap (code not done yet), or a
centralized LDAP server.
Currently it serves also winbind but that's to keep compatibility, it's
not the right way to go for future development.

In future development I think we should move the "remote/authoritative"
functionality into winbind, so that we can avoid abusing resources.
Winbind can effectively handle a single ldap connection or any other
mechanism and also provide more information to determine the SID mapping
(UID or GID?) in some cases.

> Looking at idmap_set_mapping confuses me even more. We first update the
> local mapping and then try to update the remote one with a puzzling
> comment:
>         /* Being able to update the remote cache is seldomly right.
> 	           Generally this is a forbidden operation. */
> So who does ever update the remote mapping?
> *confused*

Well the idea is that you generally ask for a mapping to the
remote/authoritative map. When you ask for a mapping the remote map will
actually do the map for you and come back with the result.
On a client of a centralized idmap you should set arbitrary mappings
only on the master not on a client (that's the source of the comment).

The idea is that you should have a control mechanism that make the
central idmap admin decide if remote servers can add mappings, in that
case remote servers will be able to push mappings, otherwise a
set_mapping on client idmap server should not be able to push the

Currently you are entitled to set the mapping locally even if the remote
backend does not to be able to use the winbind_idmap hack.

It's not the nicer thing on earth but it works just now, I know we need
to improve that mechanism.


Simo Sorce - simo.sorce at
Xsec s.r.l. -
via Durando 10 Ed. G - 20158 - Milano
mobile: +39 329 328 7702
tel. +39 02 2399 7130 - fax: +39 02 700 442 399
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list