Bug 4772 - ldap idmap alloc backend ignoring ldap_base_dn option
ldap idmap alloc backend ignoring ldap_base_dn option
Product: Samba 3.0
Classification: Unclassified
Component: winbind
All Linux
: P3 regression
: none
Assigned To: Simo Sorce
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2007-07-10 09:36 UTC by John Janosik
Modified: 2007-09-10 11:18 UTC (History)
1 user (show)

See Also:

Patch to use ldap_base_dn (1.85 KB, patch)
2007-07-12 23:25 UTC, Alexander Bokovoy
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description John Janosik 2007-07-10 09:36:50 UTC
The ldap idmap backend is failing to initialize on a Samba PDC after upgrading from 3.0.20b to 3.0.25b and updating the configuration to use the new idmap parameters.  The error in log.winbindd-idmap is:

[2007/07/11 04:13:28.982065, 0] nsswitch/idmap_ldap.c:verify_idpool(170)
  Multiple entries returned from (objectclass=sambaUnixIdPool) (base == dc=rchdnt,dc=rchland.ibm.com)
[2007/07/11 04:13:28.983417, 0] nsswitch/idmap.c:idmap_init(632)
  ERROR: Initialization failed for alloc backend ldap, deferred!

There are multiple idmaps under the ldap suffix specified in smb.conf.  However I have the following lines in the idmap config that should point to the correct idmap I want the PDC to use:

  idmap domains = RCHAD
  idmap config RCHAD:backend = ldap
  idmap config RCHAD:readonly = no
  idmap config RCHAD:default = yes
  idmap config RCHAD:ldap_base_dn = ou=idmap,ou=RCHDNT,dc=rchland.ibm.com
  idmap config RCHAD:ldap_url = ldap://
  idmap config RCHAD:range = 10000-500000
  idmap alloc backend = ldap
  idmap alloc config:ldap_base_dn = ou=idmap,ou=RCHDNT,dc=rchland.ibm.com
  idmap alloc config:ldap_user_dn = cn=XXXXXX,dc=rchland.ibm.com
  idmap alloc config:ldap_url = ldap://
  idmap alloc config:range = 10000-500000
Comment 1 John Janosik 2007-07-10 12:17:15 UTC
I see the problem is that lp_ldap_idmap_suffix in param/loadparm.c will return the value of the "ldap suffix" smb.conf parameter if "ldap idmap suffix" is not set.  In nsswitch/idmap_ldap.c the initialization does the following:

 tmp = lp_ldap_idmap_suffix();
 if ( ! tmp || ! *tmp) {
        tmp = lp_parm_const_string(-1, config_option, "ldap_base_dn", NULL);
        DEBUG(0,("ldap idmap suffix after lp_parm_const_string: %s\n", tmp));

Shouldn't it start with the value of ldap_base_dn first and then fall back to the value of lp_ldap_idmap_suffix?  Also the warning in the next section of code about using the global ldap suffix will never be reached since lp_ldap_idmap_suffix will return the global suffix.
Comment 2 Alexander Bokovoy 2007-07-12 23:25:58 UTC
Created attachment 2817 [details]
Patch to use ldap_base_dn

What about this patch?
Comment 3 Simo Sorce 2007-08-20 12:04:39 UTC
(In reply to comment #2)
> Created an attachment (id=2817) [edit]
> Patch to use ldap_base_dn
> What about this patch?

Looks good, please commit it.

Jerry please take this in 3.0.25c 
Comment 4 Gerald (Jerry) Carter 2007-08-20 12:10:56 UTC
Too late for 3.25c.  This patch has been pending for over 1 month
and right has now still not been checked in so therefore I assume 
not tested.  We'll have to catch it for 3.0.25d whenever that is.
Comment 5 Simo Sorce 2007-09-10 11:18:17 UTC
I was finally able to test this and it works as intended.