Samba4 patch for manipulating Unix attributes via ADUC
Andrew Bartlett
abartlet at samba.org
Sat Jul 14 06:05:18 MDT 2012
On Sat, 2012-07-14 at 16:14 +1000, Robert Colquhoun wrote:
> On Thu, Jul 12, 2012 at 11:11 AM, Andrew Bartlett <abartlet at samba.org> wrote:
> > How does the max uid/gid thing work, particularly with distributed user
> > creation? (This is why we never tried this before, because we were told
> > that no such mechanism existed).
>
> I don't know if this is relevant but openldap has a mechanism for the
> above using overlays:
>
> http://www.openldap.org/doc/admin24/overlays.html#Attribute%20Uniqueness
>
> Basically the ldap server needs to intercept add and modifies and call
> a handler which then checks (hopefully indexed) attribute for
> suitability ie unique.
>
> I would imagine in any normal system adding or modifying users would
> be well less than 1% of reads and thus safe to make relatively
> expensive operation to perform.
>
> Adding max uid/gid would require some kind of transaction support as
> would need to increment those values and add the user in a single
> operation or cancel everything.
>
> Other way is to create some sort of samba private area in ldap and use
> the uids and gids encoded into the dn as that is guaranteed to be
> unique when doing an add
The issue is doing this in a distributed way that is safe on a mix of AD
implementations including Samba and Microsoft.
So far, the only safe allocation mechanism is the RID allocation
mechanism.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list