[PATCH] add "net ads groupmember" functionality
David Wojtowicz
davidw at uiuc.edu
Thu May 13 14:51:13 GMT 2004
Thank you all for your very helpful constructive criticism of my previous
code. I have addressed the concerns and changes below and am offering an
updated patch for your consideration.
"Volker Lendecke" <Volker.Lendecke at SerNet.DE> writes:
> There is already 'net rpc group addmem' etc. As the RAP interface is
sort-of
> deprecated, I would much rather like to see the user interface modeled
after
> the 'net rpc group' command.
>
Changed. The new commands now take the form:
net ads group members [group] {-l}
net ads group addmem [group] [member(s)]
net ads group delmem [group] [member(s)]
The members listing output is also now just like the users/group listings.
(Either with or without the description field)
Henrik Nordstrom" <hno at squid-cache.org> writes:
> Extracting the cn won't work other than for presentation purposes as this
> is not guaranteed to be unique in the tree or even subtree.
Right. I was forgetting this. I've abandoned the use of cn as the
identifier for groups and members and now use sAMAccountName which is
guaranteed to be unique.
Guenther Deschner guenther.deschner at suse.de writes:
>Maybe some parts could be improved. I think of at least two items:
>- use of *ads_cn_from_dn does not correctly explode dn (think of a group
> with a "," in the name).
This is fixed by the switch to sAMAccountName as the unique identifier. All
sAMAccountName <=> DN conversions are performed by directory lookup (which
isn't as expensive as I thought... can do about 1000/second in my testing)
> - range retrieval is not handled (large groups (>1000 (win2k) or >1500
> (win2k3) will appear to be empty), there is a
> ads_pull_strings_range-call in libads.
This has been recoded to accomodate this. I've sucessfully tested it on
groups with over 11000 members. Thanks for the pointer on how to fix this.
(nssswitch/winbindd_ads.c also proved invaluable for demonstrating how to
use ads_pull_strings_range())
David Wojtowicz davidw at uiuc.edu writes:
> I wonder though if there's going to be a problem with a very long strlist
in ads_gen_mod().
Turns out that this is not a problem (I was worried) It accepts the very
long lists.
However, it is quite slow for large lists. Pulling the whole list, making
a few changes and then sending the whole list back is obviously not very
efficient. Reading a 10000 member list only takes a few seconds, but
writing it back takes a long time. I don't think it's the IO, but rather
the server updating its internal records when it receives the list back.
(which, in the case of group members, probably involves updating the
"memberOf" cross-references)
Windows must do something different to make changes to member lists when
using the Active Directory Users and Groups editor as a minor change to a
large group list happens quickly. (Though adding thousands of members by
that means, takes just as long as using the net command, again probably due
to bookkeeping on the server end) I'm not yet familiar with the low-level
LDAP stuff to know how this is accomplished and am only using the tools
provided by libads.
Anyhow, it does work for large groups if you are patient (it will accept
multiple adds or deletes at once if you have a more than one modification to
make...this helps as you only have to wait once) For more average sized
groups with dozens to hundreds of members, the performance it quite
acceptable.
The new patch for all of this against the current svn is here:
http://www.atmos.uiuc.edu/~davidw/samba_net_ads_group_member_patch2.txt
Again, thanks for considering this.
---------------------------------------------------------------
David Wojtowicz, Sr. Research Programmer
Dept of Atmospheric Sciences, University of Illinois
davidw at uiuc.edu (217) 333-8390
----- Original Message -----
From: "Volker Lendecke" <Volker.Lendecke at SerNet.DE>
To: "David Wojtowicz" <davidw at uiuc.edu>
Cc: <samba-technical at samba.org>
Sent: Wednesday, May 12, 2004 9:22 AM
Subject: Re: [PATCH] add "net ads groupmember" functionality
> Hello, David!
>
> On Wed, May 12, 2004 at 09:05:12AM -0500, David Wojtowicz wrote:
> > I was looking for a way to list/add/delete users in/to/from ADS groups
using
> > the "net" command. Having found that functionality missing, I'm
> > contributing a patch to do so. It is patterned after the "net rap
> > groupmember" function and adds the following functions for ADS.
>
> Thanks a lot for looking at this.
>
> However...
>
> There is already 'net rpc group addmem' etc. As the RAP interface is
sort-of
> deprecated, I would much rather like to see the user interface modeled
after
> the 'net rpc group' command.
>
> What do you think?
>
> Volker
>
More information about the samba-technical
mailing list