The purpose of the idmap backend parameter is to allow idmap to NOT use the local idmap tdb file to obtain SID to UID / GID mappings, but instead to obtain them from a common LDAP backend. This way all domain members and controllers will have the same UID and GID to SID mappings. This avoids the risk of UID / GID inconsistencies across UNIX / Linux systems that are sharing information over protocols other than SMB/CIFS (ie: NFS). An alternate method of SID to UID / GID mapping can be achieved using the idmap_rid plug-in. This plug-in uses the account RID to derive the UID and GID by adding the RID to a base value specified. This utility requires that the parameter allow trusted domains = No must be specified, as it is not compatible with multiple domain environments. The idmap uid and idmap gid ranges must also be specified. Finally, using the idmap_ad module, the UID and GID can directly be retrieved from an Active Directory LDAP Server that supports an RFC2307 compliant LDAP schema. idmap_ad supports "Services for Unix" (SFU) version 2.x and 3.0. ldap:ldap://ldapslave.example.com idmap_rid:BUILTIN=1000-1999,DOMNAME=2000-100000000 idmap_ad