Idmap feature request/suggestion

Volker Lendecke Volker.Lendecke at SerNet.DE
Tue May 15 08:59:08 MDT 2012 

On Tue, May 15, 2012 at 05:46:09PM +0300, Nimrod Sapir wrote:
> simo <idra at samba.org> wrote on 15/05/2012 16:27:35:
> 
> 
> 
> > > LDAP is not supported as id mapping only backend, but as a full 
> > > authentication/id mapping mechanism. So, if we would like to allow the 
> 
> > > user to authenticate windows accounts using AD, while using ldap to 
> match 
> > > the SID of those users to the UID of their corresponding linux 
> accounts, 
> > > that cannot be done.
> > 
> > Sorry, but this is not true, take a look at the idmap_ldap man page.
> 
> Maybe I fail to understand the behavior of the ldap backend. What I would 
> like to have is using external ldap for matching Windows account to Linux 
> accounts (similar to the usage of SFU). So, the customer should be the one 
> writing the entries to the ldap (which contains a mapping between the 
> Windows SID/account to the corresponding Linux UID). This is meant to be 
> used for customer for which want to provide same permissions to Windows 
> and linux accounts, but not to extend the AD scheme with SFU. Is the 
> described behavior possible using the idmap_ldap?

Sure. The schema is quite simple and can be found under
examples/LDAP in the Samba source. Look for sambaIdmapEntry
in samba.ldap. If you create the appropriate entries for all
users in the directory you point idmap_ldap to, you should
be all set.

> I understand the risk here. The user will have to be aware of the fact 
> that adding a new mapping on an external database (for example, SFU) for 
> an account that is already using the file system will have impact on the 
> permissions of his files. Still, consider this scenario: A customer has an 
> Active Directory of 10,000 accounts, of which 100 also have a 
> corresponding Linux accounts. Assuming he has SFU enabled, he will 
> actually need to provide a uid for each of the 10,000 user accounts, while 
> making sure those UIDs do not belong to other windows users (across the 
> forest), other linux users (including the ones who do not have a windows 
> account at all), and any internal UID used by the system. This is a 
> configuration nightmare and not always feasible. If he had a possibility 
> of using two different backends (with two different ranges), he would be 
> able to only provide the UID information for the 100 relevant accounts 
> (whose UIDs he already knows), and let the system (usind rid/tdb2) provide 
> auto-generated UIDs for all the other accounts, from a different pool. The 
> same goes for users who want to use NIS as a backend for id mapping. Do 
> you have any suggestion on how to handle such scenario?

If you pre-fill the directory correctly for the 100
accounts, idmap_ldap will pick values itself for the rest.

With best regards,

Volker Lendecke

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

More information about the samba-technical mailing list