idmap(1M) observability [PSARC/2008/167 FastTrack timeout 03/12/2008]

Nicolas Williams Nicolas.Williams at sun.com
Mon Mar 3 13:05:22 PST 2008 

I typoed the OpenSolaris discuss list names.  Sigh.

Please cc' sparks-discuss at opensolaris.org and storage-discuss at opensolaris.org,
not sparks-discuss at sun.com and storage-discuss at sun.com.

Nico

On Mon, Mar 03, 2008 at 12:54:29PM -0800, Nicolas Williams wrote:
> 
> Template Version: @(#)sac_nextcase 1.64 07/13/07 SMI
> This information is Copyright 2008 Sun Microsystems
> 1. Introduction
>     1.1. Project/Component Working Name:
> 	 idmap(1M) observability
>     1.2. Name of Document Author/Supplier:
> 	 Author:  Nicolas Williams
>     1.3  Date of This Document:
> 	03 March, 2008
> 4. Technical Description
> 
> I'm sponsoring this case for Julian Pullen.  I've set the timer to
> expire on Wednesday, March 12th, 2008.
> 
> The requested release binding is micro/patch (note: the base ARC case
> has minor release binding, so "micro/patch" here is not meaningfully
> different from minor).
> 
> BACKGROUND
> ----------
> 
> PSARC/2006/315 introduced a facility for mapping between Windows and
> Solaris user/group identities.
> 
> idmap(1M) is the primary user interface for the Solaris ID mapping
> facility.  It allows the administrator to specify rules for ID mapping,
> as well as to observe what identities have been mapped, and to request
> mappings for specific IDs.
> 
> idmap now supports the following mapping methods
> 	1) Hardcoded mappings for _some_ Well-Known SIDs
> 	2) Directory-based name mapping using AD only (soon also using
> 	   native LDAP, and a mixed mode; see PSARC/2007/663)
> 	3) Name-based rule mapping
> 	4) Ephemeral mapping
> 	5) Local SID mapping
> 
> PROBLEM
> -------
> 
> The idmap(1M) utility provides no information as to how any one mapping
> was performed, nor what conditions led to failure to produce a requested
> mapping.
> 
> SOLUTION
> --------
> 
> This case enhances idmap to enable it to display how the the identifiers
> were mapped.  The "idmap show" and "idmap dump" commands will be
> extended with a -v flag to display this information.  The "idmap show"
> command will also display whether the ID mapping was just generated as a
> result of the command or whether it had been cached.
> 
> The information displayed will include the type of mapping.  For
> directory-based name mapping it will include if the Directory is AD or
> Native LDAP, the Distinguished name of the entry and the mapping
> attribute and value.  For name-based rule mapping it will include the
> matching rule.
> 
> Man page diffs will be added to the case directory.
> 
> INTERFACE STABILITY
> -------------------
> 
> The new -v option to 'idmap dump' and 'idmap show' will be Committed.
> 
> The output of 'idmap dump' and 'idmap show' is hereby declared to be Not
> an Interface.  A future case may introduce stable output formats
> suitable for scripting.
> 
> PHASED DELIVERY
> ---------------
> 
> We may deliver this case in two phases: one that adds observability for
> success cases, and one that adds observability for failure cases.
> 
> We expect this provision to be non-controversial given the Not-an-
> Interface nature of idmap(1M)'s output at this time.
> 
> OUTPUT
> ------
> 
> [Remember, idmap(1M) output remains Not an Interface, thus we reserve
> the right to change the output formats shown below.]
> 
> Success cases:
> 
> % idmap show ...
> <mapping>
> % idmap show -v ...
> <mapping>
> New: yes | cached
> Method: <method-name>
> [DN:    <LDAP DN>]
> [Attribute: <LDAP attribute name> = <value>]
> [Rule: <rule>]
> 
> Where:
> 
>  - <mapping> is the output that idmap produces today.
> 
>  - <method-name> is one of: AD Directory, Native LDAP Directory, Name
>    Rule, Ephemeral, Local SID, Well-Known mapping.
> 
>  - <LDAP DN> is the DN of an AD or native LDAP object (if ds-based name
>    mapping was used).
> 
>  - <LDAP attribute name> and <value> are the name and value of the
>    attribute used for directory-based name mapping (if ds-based name
>    mapping was used).
> 
>  - <rule> is the matching name-based rule, if any, using the same format
>    as used by "idmap list" today.
> 
> Output for "idmap dump" will be the same as "show -v" but it will not
> contain "New: ..." (all dumped entries must be in the cache).
> 
> 
> Error cases:
> 
> % idmap show ...
> [<mapping>]
> Failed Method: <method-name>
> Error: <error message>
> 
> 
> 
> 6. Resources and Schedule
>     6.4. Steering Committee requested information
>    	6.4.1. Consolidation C-team Name:
> 		ON
>     6.5. ARC review type: FastTrack
>     6.6. ARC Exposure: open
>

More information about the opensolaris-arc mailing list