Identity Mapping (idmap) backends

Note:
This documentation has moved to a new home! Please update your bookmarks to the new URL for the up-to-date version of this page.

In order to have Domain users and groups from an Active Directory system appear in an Ubuntu system as valid, they need to have Linux specific attributes. Some of these attributes map directly to equivalent ones in Active Directory, some need to be translated to something else, and others do not exist at all. This is the problem that the Identity Mapping Backends (idmap) try to solve.

There are basically three idmap backends to chose from:

  • ad: requires that Active Directory be augmented with RFC-2307 attributes
  • rid: algorithmic user/group id generation, manual domain configuration
  • autorid: algorithmic user/group id generation, automatic domain configuration

Of these, the simplest ones to use are rid and autorid, because they require no changes to Active Directory. These are the ones we will examine next.

There is another idmap backend that we need to introduce, not related to Active Directory integration, but necessary in some cases: the tdb (Trivial Data Base) backend. The idmap_tdb backend is an allocating backend that stores the mappings on a persistent database on disk. It is needed whenever the mapping is not deterministic, and is instead done on a first come, first serve, order. Configurations using the idmap_rid backend need to be supported by the idmap_tdb backend as well, as will be shown later.

To better understand how these mapping mechanisms work, it helps to have a quick refresher on the typical user ID ranges on an Ubuntu/Debian system:

  • 0-99: builtin global allocations, shipped in the base-passwd package
  • 100-999: dynamically allocated system users and groups, typically created by packages for services as they are installed
  • 1000-59999: dynamically allocated normal user/group accounts (*)
  • 60000-64999: other global allocations
  • 65000-65533: reserved
  • 65534: the nobody user, and corresponding nogroup group (*)
  • 65536-4294967293: dynamically allocated user/group accounts
  • 4294967294 and 4294967295: do not use

Most of these ranges are configured in /etc/adduser.conf, and the above are the default values.

The Active Directory domain users and groups need to fit somewhere, and the largest block available is 65536-4294967293, so that is typically what is used.

See next: