[PATCHES RESEND] idmap_rfc2307 module
Christof Schmitt
christof.schmitt at us.ibm.com
Thu Aug 23 16:12:41 MDT 2012
Andrew Bartlett <abartlet at samba.org> wrote on 08/23/2012 02:20:06 PM:
> On Tue, 2012-08-21 at 17:19 -0600, Christof Schmitt wrote:
> > Resending the patches since i have not seen any feedback. These
> > patches have been rebased to apply on the current master branch.
> >
> > The basic idea is to retrieve the id mapping information from RFC2307
> > LDAP records. The records can be stored in a stand-alone LDAP server
> > or in the ADS LDAP server. Patch 0007 adds a man page that should give
> > an overview.
> >
> > Feedback? What needs to be done to get this accepted in master?
>
> I'm trying to understand how this fits into the landscape of available
> options.
The main point is that the new module queries RFC2307 records for the
name<->id. It adds support for multiple domains and storing user and
group mappings in different LDAP suffixes. No other module does
that. idmap_nss be used only for a limited setup with only one domain.
> Is it correct to say that:
>
> - Compared to idmap_ad it stores all the attributes in a single
> (possibly but not required to be) AD server even for trusted domains
> and
idmap_ad retrieves SID<->id mappings from the AD server. The new
module retrieves name<->id mappings and only name<->SID mappings from
the AD server.
> - Compared to idmap_ldap it does the mapping via the username so the
> ldap server doesn't need to have a SID in it
Yes, the records do not need the SID.
> - Compared to idmap_nss it allows winbindd to be used for nsswitch?
It supports multiple domains and using the full DOMAIN\USER name.
> If it fills a need that existing modules don't meet then it seems
> reasonable to include it. I presume you feel it is clearer if this is a
> new module with lots of shared code compared to an optional
> configuration of idmap_ldap or idmap_ad?
It is a new approach for id mapping, so it deserves to be a new
module. The main overlap with the existing modules is establishing the
connection to the LDAP servers, so i tried to reuse that code. The
mapping logic is different from the existing modules, but the same for
using records in ADS or in a stand-alone LDAP server.
> However, we really should test it, as well as at least idmap_ad.
>
> We have an AD DC in our test environment, so setting up two new samba3
> domain members (one for idmap_ad and another for idmap_rfc2307) should
> not be difficult at all. Then we should be able to write a test that
> creates some standard mappings and confirms that everything still works
> (running it also against the 'dc' environment would also allow it's
> rfc2307 mode to be tested).
>
> I can assist you with this.
More work. ;)
I guess i will need some guidance with implementing these tests, but i
would try to implement the test for the winbind PAC patch before
approaching this.
Regards,
Christof Schmitt || IBM || SONAS System Development || Tucson, AZ
christof.schmitt at us.ibm.com || +1-520-799-2469 (T/L: 321-2469)
More information about the samba-technical
mailing list