winbind nested groups and ldap backend

Simo Sorce idra at samba.org
Thu May 26 13:46:03 GMT 2005 

Testing nested group with ldapsam and idmap_ldap revealed that the thing
just do not work right now with 3.0.14a (and I know there's nothing
relevant in latest code, at least nothing up to last week).

Not going into the datails of the current code, is seem the three people
that care about the problem in the Team: me, Jerry and Volker, all
agrees winbind should manage the stuff completely.

When using tdbsam + groupmapping.tdb it is easy to accomplish this job,
but with ldapsam AND idmap_ldap we have some problems right now.

What I would like to do is to make clear that people should always use
idmap_ldap when they use ldapsam. I know it is probably not possibile to
change the default so that when you set passdb backend = ldapsam then
also idmap backend defaults to ldap, but probably a warning at level 0
in the log in future releases is enough.

Now besides this little problem about default configurations, what I
would lie to do with idmap_ldap is the following.

In idmap code add an interface to create, modify, delete an alias, so
that winbind can do it whatever backend is used.

Make the aliases be created under the defined group suffix so that
people have all groups in the same container as they expect. Make the
group NOT use the posixGroup objectclass of course, we need winbindd to
provide that group to the system not nss_ldap as winbind needs to expand
groups inside it.

Modify Winbind/idmap so that when ldap is involved we look under the
base suffix provided to samba when searching for idmappings so that
these groups are correctly seen. Let winbindd/idmap_ldap correctly
search for the SID list specified and properly resolve names and groups
(I found out yesterday that there is some problem in the code, as it
correctly identified the name of the group being list by it's sid, but
than it was not able to retrieve the group itself nor the members list).

Doing that will require some time probably so I will start from the
trunk tree of course, I just would like to know if my random toughts
here are ok, and some comment in case I'm wrong, fool, or just slightly
offtrack.

Thanks,
Simo.

-- 
Simo Sorce    -  idra at samba.org
Samba Team    -  http://www.samba.org
Italian Site  -  http://samba.xsec.it

More information about the samba-technical mailing list