Samba4 LDAP Integration

Gémes Géza geza at kzsdabas.sulinet.hu
Wed Oct 27 15:18:58 GMT 2004 

Andrew Bartlett írta:

>On Thu, 2004-10-28 at 00:01, Pierre Filippone wrote:
>  
>
>>Hi,
>>
>>we use Samba 3 as domain controllers for a Citrix server farm and in the 
>>near future we are planning to use these DCs also for the rest of our 
>>network. 
>>
>>Although it works very well, in the forseeable future we will be obliged 
>>to offer some sort of AD emulation, unless we get rid of Windows OSes for 
>>our desktops, which I don't see at the moment. Longhorn will probably not 
>>support non-AD DCs any more. 
>>    
>>
>
>Personally, I would be surprised.  NT4 is still out there...
>
>But your point is valid, and that is why we are working so hard on
>Samba4.
>
>  
>
>>The question that arises for us is, how difficult the migration from Samba 
>>3 to Samba 4 will be, especially regarding the LDAP backend. At the moment 
>>we have a perfect integration of all samba related attributes in our 
>>existing user entries. Simply add samba attributes and go. 
>>Will it stay like this in Samba4, meaning that we can keep our existing 
>>structure in openldap, at least regarding users and groups, and samba4 
>>will present some kind of translated LDAP view to MS clients ? 
>>Or are you planning to put AD entries directly into openldap, which makes 
>>the integration of our existing entries difficult or impossible.
>>
>>Has there already been made a decision or is it too early to ask this 
>>question ?
>>    
>>
>
>This is a very good time to start looking into this area.  Currently,
>the Samba4 modal assumes either that OpenLDAP contains support for all
>the AD attributes, or that you use Samba4's ldb local storage in a TDB.
>
>Clearly, this just will not work for your site, and many others.  What I
>think we need to do is write another LDB backend, that understands more
>about the semantic mapping, and provides a proxy service.
>
>However, products like XAD show that OpenLDAP can be made to handle
>this, with the right schema, plugins etc, but perhaps not your existing
>structure.
>
>Andrew Bartlett
>
>  
>
I think the easiest way would be to have a tdb->ldb(tdb) migration path.
This raises another question:
As OpenLDAP backend usualy contains besides the Samba attributes at 
least the Posix ones (needed by Samba3), how would they be mapped to the 
new ldb(tdb) backend?
I think the best way of migration would be some sort of ldapsearch | 
ldbadd approach, as Samba4 will implement its own LDAP server. This path 
could be problematic also, because, there are some conflicting 
attributes between the AD and the RFC compliant schemas :-( .

Thanks for doing this great job with Samba4,

Geza

More information about the samba-technical mailing list