LDAP PDB and IDMAP design and implemenation

Andrew Bartlett abartlet at samba.org
Wed Jun 18 11:01:42 GMT 2003 

On Wed, 2003-06-18 at 20:39, Ronny Bremer wrote:
> >In particular, it seems rather limited in what it can do - we seem
> >unable to modify an existing mapping, and we do not pay correct
> >attention to existing entries in LDAP when we do!
> 
> We also need to think about people with an already deployed LDAP
> directory to add Samba to it. In that case, UID's might already exist,
> as they are used for Linux/Unix access of those DN's, so the required
> posixAccount attributes are filled.

This is my primary motivation of my proposal.

> >  - All new user entries are added under the 'ldap user suffix'
> >  - All new machines entires are added under the 'ldap machine
> suffix'
> >  and so for groups, idmap and machines.
> 
> Maybe we should also provide a way to restrict Samba from adding to the
> LDAP store. Some LDAP administrators are worried about adding account
> through Samba, as there is no way to place them correctly into the LDAP
> tree. They can, of course, move the user afterwards, but in many cases
> they like to control who goes where in the first place.
> 
> >  - Allow modification of idmap entires
> 
> I need to do more research here.

The tricky bit is doing this atomically - particularly when the old
entry was on an 'idmap only' entry, and the new one is on a user's
existing DN.

> >  - Wherever possible, annotate existing DNs when adding idmap
> entires,
> >rather than adding new entries under the 'idmap suffix'.
> 
> This seems to conflict with your suggestion of using the Domain SID as
> the CN (see below).
> Usually, users are created in LDAP with their "login id" as the cn, so
> it gets mapped to "uid" for Unix/Linux login purposes. There are
> differences, however. Many ADS administrator use the Full user Name as
> the CN, so it shows up in their User/Group Management tool in a more
> descriptve way.
> 
> If you wanna modify existing entries (which I would strongly suggest,
> in order to remove redundancy and also to be compliant with existing
> LDAP tree designs) we should not count on being able to use the SID as a
> CN.

I'm intending that this only be used for SIDs that we cannot find an
existing DN to map onto.

> Just my 2 cents.

Thank you very much for your comments,

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030618/1dab3393/attachment.bin

More information about the samba-technical mailing list