reason for libads/?

Andrew Tridgell tridge at
Fri Apr 1 02:15:37 GMT 2005


 > While closely looking at winbind I'm trying to find the reason why samba3 uses
 > LDAP for SAMR-like operations in security=ads mode. I can see the reason for
 > getting the sequence number via LDAP, the samr variant seems not to be updated
 > correctly, but the rest? What's the advantage?

A simple example is the primary group ID. Via SAMR, it is only
possible to get the primary group ID when you do a per-user call. So
when someone does a getpwent() listing of users, if we wanted to get
100% accurate information we would need to do one RPC call per user,
whereas with LDAP we can do a single call that fetches just the
information we want for all users.

The more general answer is that LDAP calls are more flexible. Via LDAP
the caller gets to say "give me the following information". Via RPC
the caller must choose from a limited menu of information as given by
what information levels are available.

There is also the problem of fully qualified versus partially
qualified names. Via LDAP we can use fully or partially qualified
names for users (ie. either the short or long form of the domain
name). Via RPC our options are more limited.

So once we need to use LDAP for some calls (for the above reasons), it
makes sense to me to use LDAP for all calls if possible.

Cheers, Tridge

More information about the samba-technical mailing list