[PATCH] New external idmap module

Gautier, B (Bob) Bob.Gautier at rabobank.com
Wed May 31 08:36:05 GMT 2006


> -----Original Message-----
> From: 
> samba-technical-bounces+bob.gautier=rabobank.com at lists.samba.o
rg [mailto:samba-technical->
bounces+bob.gautier=rabobank.com at lists.samba.org] On Behalf 
> Of Volker Lendecke

> > 
> > Have you thought what happen when you use idmap_ad and a user/group 
> > does not have any rfc2307 attribute associated?
> > Same thing.
> Sure, but this is a broken configuration that I do not want 
> to optimize for. If for every such SID you fork every time 
> you hit it, fine by me. The admin should go in and put a 
> mapping into his AD or have the user in question not connect.

Not fine by me! In my *testlab* we have over 4000 users, very few of
which have rfc2307 attributes.  In our development and production
environments we have many more users and we don't expect to add rfc2307
attributes to all of them on day one when we go live.  We want winbindd
to ignore users that don't have rfc2307, and to do so without a big
performance hit.  I have already seen horrible performance from idmap_ad
because it queries for *all* users and then does a second LDAP query
*per user* to try to get rfc2307 attrs (see BZ 3751)

FWIW I would love to see a mechanism that would allow all the idmap
functionality to be segregated into a separate process, independent of
the mainline Samba code, so that 1) we have complete control over the
idmap algorithm and 2) we can use a custom algorithm whilst still using
a standard, out-of-the-distro-vendors-box, build of Samba for which we
can get support.

Although I have not followed the discussion in every detail, I think
that means I am in support of the original external idmap module
proposal, complete with TCP socket support (because I think if it's not
in the basic module, someone will write a proxy eventually anyway).

Isn't an external, TCP-reachable idmap module relevant to the Samba
clustering work?  I wonder if their messaging protocols are worth using
here, at least.

Bob Gautier

> Volker

This email (including any attachments to it) is confidential, legally privileged, subject to copyright and is sent for the personal attention of the intended recipient only. If you have received this email in error, please advise us immediately and delete it. You are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Although we have taken reasonable precautions to ensure no viruses are present in this email, we cannot accept responsibility for any loss or damage arising from the viruses in this email or attachments. We exclude any liability for the content of this email, or for the consequences of any actions taken on the basis of the information provided in this email or its attachments, unless that information is subsequently confirmed in writing. If this email contains an offer, that should be considered as an invitation to treat.

More information about the samba-technical mailing list