Bug 4772 - ldap idmap alloc backend ignoring ldap_base_dn option
Summary: ldap idmap alloc backend ignoring ldap_base_dn option
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.25b
Hardware: All Linux
: P3 regression
Target Milestone: none
Assignee: Simo Sorce
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-07-10 09:36 UTC by John Janosik
Modified: 2007-09-10 11:18 UTC (History)
1 user (show)

See Also:

Attachments
Patch to use ldap_base_dn (1.85 KB, patch)
2007-07-12 23:25 UTC, Alexander Bokovoy 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Janosik 2007-07-10 09:36:50 UTC 
The ldap idmap backend is failing to initialize on a Samba PDC after upgrading from 3.0.20b to 3.0.25b and updating the configuration to use the new idmap parameters.  The error in log.winbindd-idmap is:

[2007/07/11 04:13:28.982065, 0] nsswitch/idmap_ldap.c:verify_idpool(170)
  Multiple entries returned from (objectclass=sambaUnixIdPool) (base == dc=rchdnt,dc=rchland.ibm.com)
[2007/07/11 04:13:28.983417, 0] nsswitch/idmap.c:idmap_init(632)
  ERROR: Initialization failed for alloc backend ldap, deferred!

There are multiple idmaps under the ldap suffix specified in smb.conf.  However I have the following lines in the idmap config that should point to the correct idmap I want the PDC to use:

  idmap domains = RCHAD
  idmap config RCHAD:backend = ldap
  idmap config RCHAD:readonly = no
  idmap config RCHAD:default = yes
  idmap config RCHAD:ldap_base_dn = ou=idmap,ou=RCHDNT,dc=rchland.ibm.com
  idmap config RCHAD:ldap_url = ldap://127.0.0.1
  idmap config RCHAD:range = 10000-500000
  
  idmap alloc backend = ldap
  idmap alloc config:ldap_base_dn = ou=idmap,ou=RCHDNT,dc=rchland.ibm.com
  idmap alloc config:ldap_user_dn = cn=XXXXXX,dc=rchland.ibm.com
  idmap alloc config:ldap_url = ldap://127.0.0.1
  idmap alloc config:range = 10000-500000
Comment 1 John Janosik 2007-07-10 12:17:15 UTC 
I see the problem is that lp_ldap_idmap_suffix in param/loadparm.c will return the value of the "ldap suffix" smb.conf parameter if "ldap idmap suffix" is not set.  In nsswitch/idmap_ldap.c the initialization does the following:

 tmp = lp_ldap_idmap_suffix();
 if ( ! tmp || ! *tmp) {
        tmp = lp_parm_const_string(-1, config_option, "ldap_base_dn", NULL);
        DEBUG(0,("ldap idmap suffix after lp_parm_const_string: %s\n", tmp));
 }

Shouldn't it start with the value of ldap_base_dn first and then fall back to the value of lp_ldap_idmap_suffix?  Also the warning in the next section of code about using the global ldap suffix will never be reached since lp_ldap_idmap_suffix will return the global suffix.
Comment 2 Alexander Bokovoy 2007-07-12 23:25:58 UTC 
Created attachment 2817 [details]
Patch to use ldap_base_dn

What about this patch?
Comment 3 Simo Sorce 2007-08-20 12:04:39 UTC 
(In reply to comment #2)
> Created an attachment (id=2817) [edit]
> Patch to use ldap_base_dn
> 
> What about this patch?
> 

Looks good, please commit it.

Jerry please take this in 3.0.25c
Comment 4 Gerald (Jerry) Carter (dead mail address) 2007-08-20 12:10:56 UTC 
Too late for 3.25c.  This patch has been pending for over 1 month
and right has now still not been checked in so therefore I assume 
not tested.  We'll have to catch it for 3.0.25d whenever that is.
Comment 5 Simo Sorce 2007-09-10 11:18:17 UTC 
I was finally able to test this and it works as intended.