Winbind's offline state and idmap_ldap

simo idra at samba.org
Mon Feb 19 00:18:14 GMT 2007 

On Sun, 2007-02-18 at 17:14 -0600, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Jeremy Allison wrote:
> > On Sun, Feb 18, 2007 at 04:23:42PM -0600, Gerald (Jerry) Carter wrote:
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> Jeremy & Guenther,
> >>
> >> Did either of your ever test out starting up Winbindd
> >> in an offline state with an idmap backend other than
> >> the default tdb?  The reason I'm wondering is that the
> >> offline design doesn't seem to play well with the idmap
> >> initialization code.  Am I missing something here?
> > 
> > That's definately true. I don't think it was tested
> > with other than tdb backends, sorry.
> 
> ok. That makes me feel better.  At least it's not a regression.
> I think the way to fix this is to initialize the current
> idmap_cache but delay initialization of the backends until
> we are marked as online.  What I don't want is to have each
> idmap plugin have to concern itself with whether winbindd
> is marked as offline or online.  Sounds ok ?

Not all backends need to wait to be online to be initialized or have the
same concept of offline mode than main winbindd.

For example if you have idmap_ldap pointing to localhost, then offline
might mean a different thing from what it is for the rest of winbindd.
If you unplug the network cable, winbindd will definitively go offline,
but idmap_ldap can still reach localhost without a problem.
At the same time while you may be able to query remote servers via
winbindd, someone can shutdown the ldap server and idmap_ldap becomes
"offline".

On the other hand idmap_ad is probably always perfectly in sync with
winbindd (I can imagine only very pathological setups where this may not
hold true).

I think we will need to implement offline code inside the single modules
in some cases, and idmap made aware of what offline means. I think there
is all the infrastructure there to do so.
I already changed the way mappings are returned on purpose so that you
have a way to return a different error based on the fact this is because
the mapping really do not exists or there occurred some "other" error.
This was made to take in account the fact a module may be "offline" and
is extremely important to avoid expiring the cache at the wrong time.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org
http://samba.org

More information about the samba-technical mailing list