a plan for ADS, LDAP and ldb

tridge at samba.org tridge at samba.org
Fri Apr 16 22:37:06 GMT 2004

This is a rough idea of what I am currently thinking of regarding
LDAP, ldb and ADS in Samba4. 

As many of you know Samba now has a new database system called
"ldb". ldb is like a half-way house between LDAP and tdb. It uses a
syntax very similar to LDAP, but currently with no schema, so no
schema checking. See lib/ldb/ in the Samba4 sources for details.

I have already discussed the basic ideas behind ldb at the SambaXP
conference, but in discussions with metze we have recently come up
with the idea of how to make ldb a better basis for the LDAP component
of an ADS domain controller.

The idea is to do this:

 - write a SAMR RPC backend using the new Samba4 rpc server
   infrastructure that uses ldb to store all data

 - use the same attribute names (for users, groups etc) as ADS uses

 - write a OpenLDAP backend that uses ldb. This fits with all the
   other backends OpenLDAP has, except this will be a _much_ simpler
   backend as ldb already uses LDAP syntax, and has indexes etc

 - a Samba4 ADS DC would internally talk straight to the ldb, but
   would present the ldb contents to LDAP for remote clients via the
   OpenLDAP backend

 - having control of the backend gives us a huge amount of flexibility
   is how we deal with the database. It gives us the same sort of
   flexibility that w2k gets with its internal jet database.

Of course, ldb can already act as a front-end to LDAP, presenting a
LDAP database via the ldb API, so admins will have a number of
flexible options for how to configure Samba.

>From a development point of view this allows us to develop the RPC
servers in Samba to use a single simple storage mechanism. With the
Samba config information (the old smb.conf info), plus all the user
database, registry and printing database information in ldb we will
have a single uniform API across our code to access all of our data in
a fast and flexible way. 

By then presenting portions of these databases via OpenLDAP using a
ldb backend we will also be able to cope with LDAP accesses by clients
while not tying the internals of Samba to LDAP.

Of course, this is still an idea that is being developed, but I
thought I should write it down while it is still fresh. 

Cheers, Tridge

PS: Any volunteers to write the OpenLDAP ldb backend?

More information about the samba-technical mailing list