[PATCHES RESEND] idmap_rfc2307 module

[Christof Schmitt]

Andrew Bartlett <abartlet at samba.org> wrote on 08/23/2012 02:20:06 PM:

> On Tue, 2012-08-21 at 17:19 -0600, Christof Schmitt wrote:
> > Resending the patches since i have not seen any feedback. These
> > patches have been rebased to apply on the current master branch.
> > 
> > The basic idea is to retrieve the id mapping information from RFC2307
> > LDAP records. The records can be stored in a stand-alone LDAP server
> > or in the ADS LDAP server. Patch 0007 adds a man page that should give
> > an overview.
> > 
> > Feedback? What needs to be done to get this accepted in master?
> 
> I'm trying to understand how this fits into the landscape of available
> options.

The main point is that the new module queries RFC2307 records for the
name<->id. It adds support for multiple domains and storing user and
group mappings in different LDAP suffixes. No other module does
that. idmap_nss be used only for a limited setup with only one domain.

> Is it correct to say that:
> 
>  - Compared to idmap_ad it stores all the attributes in a single
> (possibly but not required to be) AD server even for trusted domains
> and

idmap_ad retrieves SID<->id mappings from the AD server. The new
module retrieves name<->id mappings and only name<->SID mappings from
the AD server.

>  - Compared to idmap_ldap it does the mapping via the username so the
> ldap server doesn't need to have a SID in it

Yes, the records do not need the SID.

>  - Compared to idmap_nss it allows winbindd to be used for nsswitch?

It supports multiple domains and using the full DOMAIN\USER name.

> If it fills a need that existing modules don't meet then it seems
> reasonable to include it.  I presume you feel it is clearer if this is a
> new module with lots of shared code compared to an optional
> configuration of idmap_ldap or idmap_ad?

It is a new approach for id mapping, so it deserves to be a new
module. The main overlap with the existing modules is establishing the
connection to the LDAP servers, so i tried to reuse that code. The
mapping logic is different from the existing modules, but the same for
using records in ADS or in a stand-alone LDAP server.

> However, we really should test it, as well as at least idmap_ad. 
> 
> We have an AD DC in our test environment, so setting up two new samba3
> domain members (one for idmap_ad and another for idmap_rfc2307) should
> not be difficult at all.  Then we should be able to write a test that
> creates some standard mappings and confirms that everything still works
> (running it also against the 'dc' environment would also allow it's
> rfc2307 mode to be tested). 
> 
> I can assist you with this.

More work. ;)

I guess i will need some guidance with implementing these tests, but i
would try to implement the test for the winbind PAC patch before
approaching this.

Regards,

Christof Schmitt || IBM || SONAS System Development || Tucson, AZ
christof.schmitt at us.ibm.com  ||  +1-520-799-2469  (T/L: 321-2469)