updated newidmap

simo idra at samba.org
Tue Oct 3 20:22:47 GMT 2006


On Tue, 2006-10-03 at 15:11 -0500, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Volker Lendecke wrote:
> > On Tue, Oct 03, 2006 at 02:54:37PM -0400, simo wrote:
> >>>> BUILTIN:tdb:500-1000
> >>>> ADOM:ldap:10001-30000
> >>>> BDOM:ldap:30001-50000
> >>> And you will still need a *:ldap:50001-100000 for all
> >>> domains you right now are not aware on.
> >> I'd like to leave that decision to the admin (the default config will be
> >> something like that normally).
> > 
> > Sorry, but I would very strongly object having allocation
> > ranges per domain. It would take a vote from many others to
> > persuade me to accept this.
> 
> I agree.  This is a bad design choice because it simply paints
> you in a corner if one of the ranges fills up.  You have no where
> to go.  That's the problem with the trusted domain support in
> idmap_rid.

The allocator will always have a range limit, I hardly see this as a
strong reason why not to. The admin must be wise in choosing ranges
sizes anyway.

If you use both tdb and ad modules you have to assign ranges to them
too. If you are unwise you may end up consuming one of the two ranges.
It doesn't matter which one is depleted if you make a bad choice you
make a bad choice.

Example:

default:tdb:10000:15000
DOMX:ad:15001:3000000000

allocator:10000:15000

now if you do more than 5k allocs you are out of luck, there is no easy
way around it. And changing all the mappings in AD to make more room is
not easier than coping with a configuration where you have multiple
range allocations.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org
http://samba.org



More information about the samba-technical mailing list