Samba4 LDAP Integration
geza at kzsdabas.sulinet.hu
Wed Oct 27 15:18:58 GMT 2004
Andrew Bartlett írta:
>On Thu, 2004-10-28 at 00:01, Pierre Filippone wrote:
>>we use Samba 3 as domain controllers for a Citrix server farm and in the
>>near future we are planning to use these DCs also for the rest of our
>>Although it works very well, in the forseeable future we will be obliged
>>to offer some sort of AD emulation, unless we get rid of Windows OSes for
>>our desktops, which I don't see at the moment. Longhorn will probably not
>>support non-AD DCs any more.
>Personally, I would be surprised. NT4 is still out there...
>But your point is valid, and that is why we are working so hard on
>>The question that arises for us is, how difficult the migration from Samba
>>3 to Samba 4 will be, especially regarding the LDAP backend. At the moment
>>we have a perfect integration of all samba related attributes in our
>>existing user entries. Simply add samba attributes and go.
>>Will it stay like this in Samba4, meaning that we can keep our existing
>>structure in openldap, at least regarding users and groups, and samba4
>>will present some kind of translated LDAP view to MS clients ?
>>Or are you planning to put AD entries directly into openldap, which makes
>>the integration of our existing entries difficult or impossible.
>>Has there already been made a decision or is it too early to ask this
>This is a very good time to start looking into this area. Currently,
>the Samba4 modal assumes either that OpenLDAP contains support for all
>the AD attributes, or that you use Samba4's ldb local storage in a TDB.
>Clearly, this just will not work for your site, and many others. What I
>think we need to do is write another LDB backend, that understands more
>about the semantic mapping, and provides a proxy service.
>However, products like XAD show that OpenLDAP can be made to handle
>this, with the right schema, plugins etc, but perhaps not your existing
I think the easiest way would be to have a tdb->ldb(tdb) migration path.
This raises another question:
As OpenLDAP backend usualy contains besides the Samba attributes at
least the Posix ones (needed by Samba3), how would they be mapped to the
new ldb(tdb) backend?
I think the best way of migration would be some sort of ldapsearch |
ldbadd approach, as Samba4 will implement its own LDAP server. This path
could be problematic also, because, there are some conflicting
attributes between the AD and the RFC compliant schemas :-( .
Thanks for doing this great job with Samba4,
More information about the samba-technical