Jean Francois Micouleau wrote: > > On Sat, 2 Nov 2002, Andrew Bartlett wrote: > > > I've just committed a patch that adds a new 'ldap trust ids' smb.conf > > option. > > > > Currently defaulting to off, this option allows pdb_ldap to use the ldap > > server directly to determine if a user 'exists' in unix. > > > > This gives us a performance boost, particularly on enumerations: > > (Removes the extra lookup per record). > > > > The logic is such that if there are no posixAccount attributes for a > > user, we try getpwnam(), it's just that we look in LDAP first. > > > > As such, do people think we should have this by default? > > NO ! > > > This was a fix to solve some particular problems that metze had, and > > I'll see if I can get some feedback on exactly how much this helps. > > and what's next ? Can I commit an ugly hack i'm using 'cause SCO > openserver doesn't support username longer than 8 chars ?
The abstractions currently in place would allow such a thing, if you felt that it was required. > can't we also add a "don't check unix security at all" smb.conf parameter > that default to yes ? We are looking at the whole 'unix secruity db dependence' issue with the new SAM, which I beleive is the correct long-term fix to these issues. Seriously, this option was added becouse usrmgr was timing out on large domains, and doing a *per record* getpwnam() was costing us significantly. The reason I ask the list is so that I can get sombody else's eye over the idea, and I thank you for that. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
