The purpose of the idmap backend parameter is to allow idmap to NOT use the local idmap tdb file to obtain SID to UID / GID mappings for unmapped SIDs, but instead to obtain them from a common LDAP backend. This way all domain members and controllers will have the same UID and GID to SID mappings. This avoids the risk of UID / GID inconsistencies across UNIX / Linux systems that are sharing information over protocols other than SMB/CIFS (ie: NFS). An alternate method of SID to UID / GID mapping can be achieved using the rid plug-in. This plug-in uses the account RID to derive the UID and GID by adding the RID to a base value specified. This utility requires that the parameter allow trusted domains = No must be specified, as it is not compatible with multiple domain environments. The idmap uid and idmap gid ranges must also be specified. Finally, using the ad module, the UID and GID can directly be retrieved from an Active Directory LDAP Server that supports an RFC2307 compliant LDAP schema. ad supports "Services for Unix" (SFU) version 2.x and 3.0. ldap:ldap://ldapslave.example.com rid:"BUILTIN=1000-1999,DOMNAME=2000-100000000" ad