idmap(1M) observability [PSARC/2008/167 FastTrack timeout 03/12/2008]

Nicolas Williams Nicolas.Williams at sun.com
Wed Mar 5 10:16:48 PST 2008 

This case was approved at today's PSARC meeting.  I've updated the IAM
file.

On Mon, Mar 03, 2008 at 03:05:22PM -0600, Nicolas Williams wrote:
> I typoed the OpenSolaris discuss list names.  Sigh.
> 
> Please cc' sparks-discuss at opensolaris.org and storage-discuss at opensolaris.org,
> not sparks-discuss at sun.com and storage-discuss at sun.com.
> 
> Nico
> 
> On Mon, Mar 03, 2008 at 12:54:29PM -0800, Nicolas Williams wrote:
> > 
> > Template Version: @(#)sac_nextcase 1.64 07/13/07 SMI
> > This information is Copyright 2008 Sun Microsystems
> > 1. Introduction
> >     1.1. Project/Component Working Name:
> > 	 idmap(1M) observability
> >     1.2. Name of Document Author/Supplier:
> > 	 Author:  Nicolas Williams
> >     1.3  Date of This Document:
> > 	03 March, 2008
> > 4. Technical Description
> > 
> > I'm sponsoring this case for Julian Pullen.  I've set the timer to
> > expire on Wednesday, March 12th, 2008.
> > 
> > The requested release binding is micro/patch (note: the base ARC case
> > has minor release binding, so "micro/patch" here is not meaningfully
> > different from minor).
> > 
> > BACKGROUND
> > ----------
> > 
> > PSARC/2006/315 introduced a facility for mapping between Windows and
> > Solaris user/group identities.
> > 
> > idmap(1M) is the primary user interface for the Solaris ID mapping
> > facility.  It allows the administrator to specify rules for ID mapping,
> > as well as to observe what identities have been mapped, and to request
> > mappings for specific IDs.
> > 
> > idmap now supports the following mapping methods
> > 	1) Hardcoded mappings for _some_ Well-Known SIDs
> > 	2) Directory-based name mapping using AD only (soon also using
> > 	   native LDAP, and a mixed mode; see PSARC/2007/663)
> > 	3) Name-based rule mapping
> > 	4) Ephemeral mapping
> > 	5) Local SID mapping
> > 
> > PROBLEM
> > -------
> > 
> > The idmap(1M) utility provides no information as to how any one mapping
> > was performed, nor what conditions led to failure to produce a requested
> > mapping.
> > 
> > SOLUTION
> > --------
> > 
> > This case enhances idmap to enable it to display how the the identifiers
> > were mapped.  The "idmap show" and "idmap dump" commands will be
> > extended with a -v flag to display this information.  The "idmap show"
> > command will also display whether the ID mapping was just generated as a
> > result of the command or whether it had been cached.
> > 
> > The information displayed will include the type of mapping.  For
> > directory-based name mapping it will include if the Directory is AD or
> > Native LDAP, the Distinguished name of the entry and the mapping
> > attribute and value.  For name-based rule mapping it will include the
> > matching rule.
> > 
> > Man page diffs will be added to the case directory.
> > 
> > INTERFACE STABILITY
> > -------------------
> > 
> > The new -v option to 'idmap dump' and 'idmap show' will be Committed.
> > 
> > The output of 'idmap dump' and 'idmap show' is hereby declared to be Not
> > an Interface.  A future case may introduce stable output formats
> > suitable for scripting.
> > 
> > PHASED DELIVERY
> > ---------------
> > 
> > We may deliver this case in two phases: one that adds observability for
> > success cases, and one that adds observability for failure cases.
> > 
> > We expect this provision to be non-controversial given the Not-an-
> > Interface nature of idmap(1M)'s output at this time.
> > 
> > OUTPUT
> > ------
> > 
> > [Remember, idmap(1M) output remains Not an Interface, thus we reserve
> > the right to change the output formats shown below.]
> > 
> > Success cases:
> > 
> > % idmap show ...
> > <mapping>
> > % idmap show -v ...
> > <mapping>
> > New: yes | cached
> > Method: <method-name>
> > [DN:    <LDAP DN>]
> > [Attribute: <LDAP attribute name> = <value>]
> > [Rule: <rule>]
> > 
> > Where:
> > 
> >  - <mapping> is the output that idmap produces today.
> > 
> >  - <method-name> is one of: AD Directory, Native LDAP Directory, Name
> >    Rule, Ephemeral, Local SID, Well-Known mapping.
> > 
> >  - <LDAP DN> is the DN of an AD or native LDAP object (if ds-based name
> >    mapping was used).
> > 
> >  - <LDAP attribute name> and <value> are the name and value of the
> >    attribute used for directory-based name mapping (if ds-based name
> >    mapping was used).
> > 
> >  - <rule> is the matching name-based rule, if any, using the same format
> >    as used by "idmap list" today.
> > 
> > Output for "idmap dump" will be the same as "show -v" but it will not
> > contain "New: ..." (all dumped entries must be in the cache).
> > 
> > 
> > Error cases:
> > 
> > % idmap show ...
> > [<mapping>]
> > Failed Method: <method-name>
> > Error: <error message>
> > 
> > 
> > 
> > 6. Resources and Schedule
> >     6.4. Steering Committee requested information
> >    	6.4.1. Consolidation C-team Name:
> > 		ON
> >     6.5. ARC review type: FastTrack
> >     6.6. ARC Exposure: open
> >

More information about the opensolaris-arc mailing list