The ldap idmap backend is failing to initialize on a Samba PDC after upgrading from 3.0.20b to 3.0.25b and updating the configuration to use the new idmap parameters. The error in log.winbindd-idmap is: [2007/07/11 04:13:28.982065, 0] nsswitch/idmap_ldap.c:verify_idpool(170) Multiple entries returned from (objectclass=sambaUnixIdPool) (base == dc=rchdnt,dc=rchland.ibm.com) [2007/07/11 04:13:28.983417, 0] nsswitch/idmap.c:idmap_init(632) ERROR: Initialization failed for alloc backend ldap, deferred! There are multiple idmaps under the ldap suffix specified in smb.conf. However I have the following lines in the idmap config that should point to the correct idmap I want the PDC to use: idmap domains = RCHAD idmap config RCHAD:backend = ldap idmap config RCHAD:readonly = no idmap config RCHAD:default = yes idmap config RCHAD:ldap_base_dn = ou=idmap,ou=RCHDNT,dc=rchland.ibm.com idmap config RCHAD:ldap_url = ldap://127.0.0.1 idmap config RCHAD:range = 10000-500000 idmap alloc backend = ldap idmap alloc config:ldap_base_dn = ou=idmap,ou=RCHDNT,dc=rchland.ibm.com idmap alloc config:ldap_user_dn = cn=XXXXXX,dc=rchland.ibm.com idmap alloc config:ldap_url = ldap://127.0.0.1 idmap alloc config:range = 10000-500000
I see the problem is that lp_ldap_idmap_suffix in param/loadparm.c will return the value of the "ldap suffix" smb.conf parameter if "ldap idmap suffix" is not set. In nsswitch/idmap_ldap.c the initialization does the following: tmp = lp_ldap_idmap_suffix(); if ( ! tmp || ! *tmp) { tmp = lp_parm_const_string(-1, config_option, "ldap_base_dn", NULL); DEBUG(0,("ldap idmap suffix after lp_parm_const_string: %s\n", tmp)); } Shouldn't it start with the value of ldap_base_dn first and then fall back to the value of lp_ldap_idmap_suffix? Also the warning in the next section of code about using the global ldap suffix will never be reached since lp_ldap_idmap_suffix will return the global suffix.
Created attachment 2817 [details] Patch to use ldap_base_dn What about this patch?
(In reply to comment #2) > Created an attachment (id=2817) [edit] > Patch to use ldap_base_dn > > What about this patch? > Looks good, please commit it. Jerry please take this in 3.0.25c
Too late for 3.25c. This patch has been pending for over 1 month and right has now still not been checked in so therefore I assume not tested. We'll have to catch it for 3.0.25d whenever that is.
I was finally able to test this and it works as intended.