[Fedora-directory-devel] Re: Problems creating a Samba4 LDAP
Backend
Luke Howard
lukeh at padl.com
Sun Mar 23 06:17:34 GMT 2008
FYI here's how we did it in XAD, page 19ff.
http://www.openldap.org/conf/odd-wien-2003/luke.pdf
Implemented in OpenLDAP completely at the SLAPI layer. Without help
from the underlying DB, though, it wasn't transaction safe; so the
approach of storing "member" and computing "memberOf" is probably
better.
-- Luke
On 23/03/2008, at 2:25 AM, Luke Howard wrote:
>
> On 22/03/2008, at 10:17 AM, Andrew Morgan wrote:
>> On Sat, 22 Mar 2008, Luke Howard wrote:
>>
>>>>> To me, this says that the directory does an internal group
>>>>> search to
>>>>> generate the isMemberOf attribute on the fly. I believe this is
>>>>> the way
>>>>> Active Directory handles the memberOf attribute as well.
>>>> IIRC in AD memberOf is a linked attribute, stored permanently.
>>>
>>>
>>> From memory, AD stores the entry IDs of the link tuples in a
>>> separate table, so both "member" and "memberOf" are ostensibly
>>> generated on the fly. But this is really an implementation
>>> decision (although things do start to get interesting when dealing
>>> with references across partition boundaries).
>>
>> I noticed that the memberOf tab in AD Users and Computers does not
>> show group membership for groups that are not in the same domain as
>> the user. Access controls were still correctly applied though, so
>> those interfaces must be enumerating group membership some other way.
>
> Right, this is because it's expensive (I think they'll show such
> memberships if you query through the GC port [3268] but that
> requires you talk to a GC).
>
> When a non-GC KDC builds a PAC, it will contact a GC over RPC to
> complete the user's token (cf. IDL_DRSGetMemberships).
>
> -- Luke
>
> --
> Fedora-directory-devel mailing list
> Fedora-directory-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-devel
>
--
www.padl.com | www.fghr.net
More information about the samba-technical
mailing list