[PATCHES RESEND] idmap_rfc2307 module
Christof Schmitt
christof.schmitt at us.ibm.com
Wed Aug 22 13:33:45 MDT 2012
steve <steve at steve-ss.com> wrote on 08/22/2012 11:00:17 AM:
> On 22/08/12 19:40, Christof Schmitt wrote:
> > Are you referring to the SFU attributes?
>
> No, just the normal rfc2307 classes/attributes. posixAccount,
> posixGroup, loginShell, unixHomeDirectory, uidNumber, gidNumber
>
> If those are stored in AD, 3.x winbind can be used to access them e.g.
>
> idmap config YOURDOMAIN:schema_mode = rfc2307
> winbind nss info = rfc2307
This uses data that is created by SFU and stored in the AD user
records. The schema_mode rfc2307 just uses different attributes, but
the general approach is the same. winbind queries the mapping between
SID and unix id from the AD user records and the data is managed
through the standard Windows tools.
> Do your patches offer anything over and above this. Better performance?
The new module queries the mapping between SID and user name from the
AD server. The name is then used to query the unix ids from RFC2307
LDAP records that can be stored anywhere in the AD LDAP server or on a
stand-alone LDAP server. This is a different approach that is required
to support existing user directories outside of AD and third-party
authentication solutions that create data in this format.
The mapping records for users only need these attributes:
uid: Administrator
uidNumber: 400000000
And the mapping records for groups only need these:
cn: Domain Users
gidNumber: 400000001
In short, the new module allows to use different data sources for id
mappings. It might help to focus on the format of the records. The
fact that they can be retrieved from the AD LDAP is just one detail,
they can also be retrieved from any LDAP server.
Regards,
Christof Schmitt || IBM || SONAS System Development || Tucson, AZ
christof.schmitt at us.ibm.com || +1-520-799-2469 (T/L: 321-2469)
More information about the samba-technical
mailing list