Samba4 LDAP Integration

Gémes Géza geza at
Wed Oct 27 15:18:58 GMT 2004

Andrew Bartlett írta:

>On Thu, 2004-10-28 at 00:01, Pierre Filippone wrote:
>>we use Samba 3 as domain controllers for a Citrix server farm and in the 
>>near future we are planning to use these DCs also for the rest of our 
>>Although it works very well, in the forseeable future we will be obliged 
>>to offer some sort of AD emulation, unless we get rid of Windows OSes for 
>>our desktops, which I don't see at the moment. Longhorn will probably not 
>>support non-AD DCs any more. 
>Personally, I would be surprised.  NT4 is still out there...
>But your point is valid, and that is why we are working so hard on
>>The question that arises for us is, how difficult the migration from Samba 
>>3 to Samba 4 will be, especially regarding the LDAP backend. At the moment 
>>we have a perfect integration of all samba related attributes in our 
>>existing user entries. Simply add samba attributes and go. 
>>Will it stay like this in Samba4, meaning that we can keep our existing 
>>structure in openldap, at least regarding users and groups, and samba4 
>>will present some kind of translated LDAP view to MS clients ? 
>>Or are you planning to put AD entries directly into openldap, which makes 
>>the integration of our existing entries difficult or impossible.
>>Has there already been made a decision or is it too early to ask this 
>>question ?
>This is a very good time to start looking into this area.  Currently,
>the Samba4 modal assumes either that OpenLDAP contains support for all
>the AD attributes, or that you use Samba4's ldb local storage in a TDB.
>Clearly, this just will not work for your site, and many others.  What I
>think we need to do is write another LDB backend, that understands more
>about the semantic mapping, and provides a proxy service.
>However, products like XAD show that OpenLDAP can be made to handle
>this, with the right schema, plugins etc, but perhaps not your existing
>Andrew Bartlett
I think the easiest way would be to have a tdb->ldb(tdb) migration path.
This raises another question:
As OpenLDAP backend usualy contains besides the Samba attributes at 
least the Posix ones (needed by Samba3), how would they be mapped to the 
new ldb(tdb) backend?
I think the best way of migration would be some sort of ldapsearch | 
ldbadd approach, as Samba4 will implement its own LDAP server. This path 
could be problematic also, because, there are some conflicting 
attributes between the AD and the RFC compliant schemas :-( .

Thanks for doing this great job with Samba4,


More information about the samba-technical mailing list