[PATCHES RESEND] idmap_rfc2307 module

Andrew Bartlett abartlet at samba.org
Wed Aug 29 15:41:58 MDT 2012


On Fri, 2012-08-24 at 10:37 -0700, Christof Schmitt wrote:
> Andrew Bartlett <abartlet at samba.org> wrote on 08/23/2012 03:21:40 PM:
> 
> > On Thu, 2012-08-23 at 15:12 -0700, Christof Schmitt wrote:
> > > The main point is that the new module queries RFC2307 records for the
> > > name<->id. It adds support for multiple domains and storing user and
> > > group mappings in different LDAP suffixes. No other module does
> > > that. idmap_nss be used only for a limited setup with only one domain.
> > 
> > Why do you need the different suffixes, rather than just using the
> > common base and a search filter?
> 
> We have seen directories where there are different records for the
> same user or the same group in different parts of the LDAP
> hierarchie. Using different suffixes for users and groups allows us to
> point to the specific records to query.

That's weird.  The reason I'm so picky about this is that as we try and
more closely emulate a NTFS file server, the distinction between a user
and a group breaks down.  Groups can own files, and users can become
groups when they become entries in a sidHistory.

I've started to find this very pain myself as I work on migrating
'classic' samba domains into Samba4, as we need 'domain admins' to own
some group policy object.

That's why I'm nervous about further embedding a split between users and
groups.  For example, it would be great to be able to map a SID to the
user-private group (RH style) if we needed to. 

Now, a real-world site trumps theoretical objections, and this module
has a specialist role in an environment that is more strictly user/group
delineated, but I wanted to explain my reasoning so you could see if
there is any other way you could avoid embedding such a delineation
while finding only the 'right' users.  

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org



More information about the samba-technical mailing list