[Samba] Fixed it myself... (ldap/winbind)

Paul Gienger pgienger at ae-solutions.com
Fri Jun 11 13:27:14 GMT 2004

>>I say:
>>First off, you are saying a lot that is "clearly false". LDAP can be used blindly in this case. All I needed is a way to avoid having winbind on system A from assigning UIDs on system B that is different. If the UIDs are not identical on all member unix servers, it screws up permissions on issues like NFS, which still has applications in my world.
>That is the point of LDAP - you set it up to maintain your unix accounts
>and the member machines use it for authentication. Therefore, 1 user, 1
>account on all machines that use LDAP for authentication. The
>alternative to LDAP for this is NIS and that is not convergent with
Excuse me, but the assumption that LDAP = posix account repository is so 
false it isn't even funny. Definition obtainable by STFW:

*LDAP* - Acronym for Lightweight Directory Access Protocol. It is a 
protocol for accessing information directories such as organizations, 
individuals, phone numbers, and addresses. It is based on the X.500 
directory protocols,

That doesn't say much about storing my account information.  And just so 
we're all clear on what X.500 is:
An ISO <http://www.webopedia.com/TERM/X/ISO.html> and ITU 
<http://www.webopedia.com/TERM/X/ITU.html> standard that defines how 
global directories should be structured. X.500 directories are 
hierarchical <http://www.webopedia.com/TERM/X/hierarchical.html> with 
different levels for each category of information, such as country, 
state, and city

That being said,
We do lots of things with our ldap structure that has really nothing to 
do with authenticating users, the easiest to explain being storing 
automount information.  Sun uses it for storing lots of crap for general 
system configuration.  Some people use it for DNS.  Storing SID->UID 
mappings is no different since pam/nsswitch doesn't look directly at the 
idmap object at all to figure out what users are what number, it relies 
on the nss/pam winbind module for that, which 'can' use LDAP as a data 
store.  LDAP is just a network distributed information database, which 
happens to be used a lot for account management.

If you're going to come off like a pompus ass, please use a technically 
valid argument.  Just because someone doesn't search the archives, which 
by the way, doesn't have a search feature, and I'm pretty sure didn't 
include an ldif for a working idmap backend in the last couple of 
months, isn't a good reason to go on a flame war.

Paul Gienger                     Office:		
Applied Engineering Inc.         Cell:			
Information Systems Consultant   Fax:			701-281-1322
URL: www.ae-solutions.com        mailto:pgienger at ae-solutions.com

More information about the samba mailing list