about ldapsam:editposix extension

simo idra at samba.org
Sun Mar 5 16:16:06 GMT 2006

On Sun, 2006-03-05 at 10:55 +0000, Gavin Henry wrote:
> <quote who="simo">
> > To who may be interested I've started a little howto that
> > give some direction on how to better use the ldapsam:editposix
> > extension.
> >
> > This extension is not yet in any officially released code, if you want
> > to test it you need to pull the trunk SVN tree from samba.org
> >
> > The HOWTO:
> > http://wiki.samba.org/index.php/Ldapsam_Editposix
> >
> Hi Simo,
> As we understand it, this extension allows you to choose whether or not
> you use enternal tools like IDEALX's smbldap-tools? Correct?

Correct. But only for very specific cases.

> How do you add users/groups then with this extension, via adding a normal
> user account on the Samba PDC (posix account)? What manangement tools can
> an admin use?

Either by usrmgr.exe or by net rpc user add, net rpc group add, or any
othe tool that connects to our RPC pipes and issues the right calls.

> The reason we ask, is that we are about 70% porting the IDEALX
> smbldap-tools to OO-Perl code to go on to the CPAN, called Samba::LDAP. So
> we are just checking this work is not a waste.

No, it is not a waste, lot of sites rely on scripts because they want
much more flexibility in creating their accounts.

> This also has some bits in it for adding Open-xchange users (only the LDAP
> part really).
> The work for Samba::LDAP distribution port is because of another Web
> Application we are around 50% through called SOSA, The Samba and
> Open-xchange Simple Administrator. It is written with the Catalyst
> Framework (http://catalyst.perl.org), with a bit of Prototype.js and
> mostly the Dojo Toolkit (http://dojotoolkit.org). Beta screenshots
> available if anyone is interested ;-)
> Anyway, enough of that. Are there any tech docs about your new Schema
> Extensions we can read about, as they might be good to make use of inside
> Samba::LDAP.

no new schema extension, the only critical bit in ldapsam:editposix is
that it uses winbind to alloc uids and gids, so if you want to add new
users/groups directly to ldap, you must use a range different from the
one specified by idmap uid/gid parm.
I think you may use the same range if you use idmap ldap and have an app
that correctly deal with the ou=idmap uidNumber and gidNumber counters,
but that must be carefully code or you risk breaking the mapping
functionality of winbindd.


Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org

More information about the samba-technical mailing list