[PATCHES RESEND] idmap_rfc2307 module

Andrew Bartlett abartlet at samba.org
Thu Aug 23 16:21:40 MDT 2012 

On Thu, 2012-08-23 at 15:12 -0700, Christof Schmitt wrote:
> Andrew Bartlett <abartlet at samba.org> wrote on 08/23/2012 02:20:06 PM:
> 
> > On Tue, 2012-08-21 at 17:19 -0600, Christof Schmitt wrote:
> > > Resending the patches since i have not seen any feedback. These
> > > patches have been rebased to apply on the current master branch.
> > > 
> > > The basic idea is to retrieve the id mapping information from RFC2307
> > > LDAP records. The records can be stored in a stand-alone LDAP server
> > > or in the ADS LDAP server. Patch 0007 adds a man page that should give
> > > an overview.
> > > 
> > > Feedback? What needs to be done to get this accepted in master?
> > 
> > I'm trying to understand how this fits into the landscape of available
> > options.
> 
> The main point is that the new module queries RFC2307 records for the
> name<->id. It adds support for multiple domains and storing user and
> group mappings in different LDAP suffixes. No other module does
> that. idmap_nss be used only for a limited setup with only one domain.

Why do you need the different suffixes, rather than just using the
common base and a search filter?

> > Is it correct to say that:
> > 
> >  - Compared to idmap_ad it stores all the attributes in a single
> > (possibly but not required to be) AD server even for trusted domains
> > and
> 
> idmap_ad retrieves SID<->id mappings from the AD server. The new
> module retrieves name<->id mappings and only name<->SID mappings from
> the AD server.
> 
> >  - Compared to idmap_ldap it does the mapping via the username so the
> > ldap server doesn't need to have a SID in it
> 
> Yes, the records do not need the SID.
> 
> >  - Compared to idmap_nss it allows winbindd to be used for nsswitch?
> 
> It supports multiple domains and using the full DOMAIN\USER name.
> 
> > If it fills a need that existing modules don't meet then it seems
> > reasonable to include it.  I presume you feel it is clearer if this is a
> > new module with lots of shared code compared to an optional
> > configuration of idmap_ldap or idmap_ad?
> 
> It is a new approach for id mapping, so it deserves to be a new
> module. The main overlap with the existing modules is establishing the
> connection to the LDAP servers, so i tried to reuse that code. The
> mapping logic is different from the existing modules, but the same for
> using records in ADS or in a stand-alone LDAP server.

Sounds reasonable to me. 

> > However, we really should test it, as well as at least idmap_ad. 
> > 
> > We have an AD DC in our test environment, so setting up two new samba3
> > domain members (one for idmap_ad and another for idmap_rfc2307) should
> > not be difficult at all.  Then we should be able to write a test that
> > creates some standard mappings and confirms that everything still works
> > (running it also against the 'dc' environment would also allow it's
> > rfc2307 mode to be tested). 
> > 
> > I can assist you with this.
> 
> More work. ;)

I know, but so little of this code is properly tested, and 'untested
code is broken code'.  As we now have the infrastructure to do full AD
testing with winbindd, we should use it :-)

(This wasn't the case up until May 2011, when we got the merged build
working, which is why there isn't as strong a history of test cases
here). 

> I guess i will need some guidance with implementing these tests, but i
> would try to implement the test for the winbind PAC patch before
> approaching this.

Certainly,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list