[OpenIndiana-discuss] idmap timeout

Reginald Beardsley pulaskite at yahoo.com
Mon Feb 25 23:15:42 UTC 2013



--- On Mon, 2/25/13, James Relph <james at themacplace.co.uk> wrote:

> From: James Relph <james at themacplace.co.uk>
> Subject: Re: [OpenIndiana-discuss] idmap timeout
> To: "Discussion list for OpenIndiana" <openindiana-discuss at openindiana.org>
> Date: Monday, February 25, 2013, 4:47 PM
> 
> > Unless I've badly misunderstood what I've read it can
> do that now.  Of course, comments and code are not
> always in agreement.  Or perhaps  the more common,
> "However, if you did that then, you can't do this now."
> 
> The thing is that there doesn't seem to be anything anywhere
> that actually says "ephemeral IDs will persist". 
> There's a cache, which you can change the timeouts for, but
> from what I can see it either updates the cache anyway, or
> updates the UID of cached objects.

Are you saying there's another copy besides idmap.db?  I'd not seen evidence of that.

I *think* the idea is you scan a list returned by the database and check the expiration stamp of the items relative to the epoch.  Negative items are ignored.  The least positive entry is selected, and the loop sleeps on that timer.  I'm sure there are subtleties I missed as I went pretty quickly.  But it's a common pattern that fits the requirement.

> 
> > Ignoring that the only limitation I see is what will
> Windows & Mac OS reveal w/o requiring installing a
> program. If OI can query the AD hosts, then idmap can
> trigger an update on a fail of identifier lookup. 
> That's a pretty clean change.  One function call in the
> right place.
> 
> It's getting someone who can write the function call that is
> tricky!

The hard part is finding one person who understands the internals of 3 systems well.  

Given a program which will run on OI and return a text file w/ the current set of user IDs in the host domain, the rest is trivial.  It's a non-blocking fork-exec of the update program. On a rare event it's as non-invasive as it gets.

An alternative would be to have Windows provide everything in a CIFS share and access that from idmap.  That might be attractive from a security perspective if access can be tightly controlled.

And of course, what does Mac OS do?

Have Fun!
Reg



More information about the OpenIndiana-discuss mailing list