In Chapter 12 (Identity Mapping) of the Samba HOWTO Collection it states:
<snip>
Backup Domain Controller
Backup Domain Controllers (BDCs) have read-only access to security
credentials that are stored in LDAP. Changes in user or group account
information are passed by the BDC to the PDC. Only the PDC can write
changes to the directory.
IDMAP information can however be written directly to the LDAP server so
long as all domain controllers have access to the master (writable) LDAP
server. Samba-3 at this time does not handle LDAP redirects in the IDMAP
backend. This means that it is is unsafe to use a slave (replicate) LDAP
server with the IDMAP facility.
</snip>
We place IDMAP information directly into LDAP (ou=idmap) when we mass
generate accounts. So we don't use winbindd as all accounts appear local
to AIX (using secldapclntd; John T. if you want info on this to add to
your book and the HOWTO collection, I'd love to offer it).
My question is, since the underlying LDAP code in samba chases referrals,
why would IDMAP stand out in any configuration?
It would seem to me (minus the BDC<->PDC sepcific protocols) you
could achieve the same effect using two DCs where one was the Master LDAP
and the other the Replica LDAP. If the master goes down, the backup can
still offer info and would not allow any changes as the attempt would
yield "Unwilling to perform" at the LDAP layer.
The FastStart examples, the PDC LDAP points to localhost and the BDC
points to the PDC's DNS name. The BDC is dead if the PDC dies.
In the previous paragraph if both point to localhost and one is the master
and the other a replica, this would achieve better fault tolerance,
correct?
Could this scenario be applied to High-Availability? It's not perfect
but its a good start.
John, keep up the great work of giving us so many examples and
documenting the many ways to achieve our goals of interoperation.
Cheers!
Bill