This patch cleans up some of our ldap code, for better behaviour:

We now always read the Domain SID out of LDAP.  If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP.   We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap).  If we fail to read/add the domain entry, we just
fallback to the old behaviour.

We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available.  This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added.  Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.

The code now allows modifications to the ID mapping in many cases.

Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).

The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'.  This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.

On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.

We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate.  Instead, we just start at the bottom
of the range, and increment again if the user already exists.  The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.

Thanks to metze and AB for double-checking parts of this.

Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)

1 files changed, 21 insertions, 4 deletions

diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema
index 067f5a497d..6e8387f16e 100644
--- a/examples/LDAP/samba.schema
+++ b/examples/LDAP/samba.schema
@@ -276,6 +276,16 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid'
 	EQUALITY integerMatch
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
 
+attributetype ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid'
+	DESC 'Next NT rid to give out for anything'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase'
+	DESC 'Base at which the samba RID generation algorithm should operate'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
 
 #######################################################################
 ##              objectClasses used by Samba 3.0 schema               ##
@@ -312,16 +322,23 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY
 ##
 objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL
 	DESC 'Samba Domain Information'
-	MUST ( sambaDomainName $ sambaNextGroupRid $ sambaNextUserRid $
-	       sambaSID ) )
+	MUST ( sambaDomainName $ 
+	       sambaSID ) 
+	MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $
+	      sambaAlgorithmicRidBase ) )
 
 ## used for idmap_ldap module
 objectclass ( 1.3.6.1.4.1.7165.1.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY
         DESC 'Pool for allocating UNIX uids/gids'
         MUST ( uidNumber $ gidNumber ) )
 
-objectclass ( 1.3.6.1.4.1.7165.1.2.2.8 NAME 'sambaIdmapEntry' SUP top STRUCTURAL
+
+objectclass ( 1.3.6.1.4.1.7165.1.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY
         DESC 'Mapping from a SID to an ID'
         MUST ( sambaSID )
-	MAY ( uidNumber $ gidNumber ))
+	MAY ( uidNumber $ gidNumber ) )
+
+objectclass ( 1.3.6.1.4.1.7165.1.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL
+        DESC 'Structural Class for a SID'
+        MUST ( sambaSID ) )