External idmap backend(s)

Matthew Mastracci matt at aclaro.com
Tue Feb 6 21:57:22 GMT 2007

Andrew Bartlett wrote:
> On Mon, 2007-02-05 at 13:40 -0700, Matthew Mastracci wrote:
>> The big reason we need this is to implement an LDAP mapping that is
>> close-but-not-quite-the-same-as the current idmap_ldap stuff, but is
>> easier to maintain as a bunch of shell scripts than writing and
>> maintaining a new back-end that won't ever make it into the tree and
>> updating a patch for it.
> Is is possible that with a few extra parameters, your setup could be
> incorporated into the standard? Or, why can't you use the standard
> mapping?
I think that extra parameters would make this work.  I've been 
maintaining my patch for a while and haven't revisited the problem for 
some time, so I'll admit that I haven't checked out what it would take 
to make it work with the alternate backends since last year until now.

The big difference between our setup and the standard LDAP idmap backend 
is that our UID/GIDs are allocated at user creation time using the 
posixAccount attributes through our user creation scripts to centralize 
the operation.

We needed uniform IDs and full winbind integration across a number of 
systems.  The current winbind LDAP idmap backends all use the 
sambaIdmapEntry object type instead of the posixAccount attributes on 
the user objects.  This unfortunately prevents us from using the current 
idmap backends. 

I think we could get things working if we could customize the LDAP 
searches, or at least be able to change the objectClass that is 
currently hardcoded to LDAP_OBJ_IDMAP_ENTRY to 
the automatic ID allocation code, since all servers but the domain 
controller can only read the mapping information and cannot write to the 
LDAP tree.

I think that the following parameters would suffice:

ldap idmap groupobjectclass = "posixGroup" (default: sambaIdmapEntry)
ldap idmap accountobjectclass  = "posixAccount" (default: sambaIdmapEntry)
ldap idmap allowcreatemapping = false (default: true)

Would this be a reasonable compromise?  I don't mind dumping the backend 
and scripts if I can make it work this way.


More information about the samba-technical mailing list