ldap was Re: [Samba] Samba 4

Simo Sorce idra at samba.org
Fri Aug 26 10:21:16 GMT 2005

On Fri, 2005-08-26 at 11:25 +0200, Farkas Levente wrote:
> Luke Howard wrote:
> >>>There is a good reason for this: AD clients expect non-standard
> >>>behaviour from their LDAP server, so we can't just use OpenLDAP. The
> >>>Samba4 LDAP server can function pass thru requests to any other
> >>>standards-compliant LDAP server.
> >>
> >>my question just wouldn't it be possible to include a frontend for some 
> >>kind of ldap and kerberos server?
> >>wouldn't it be easier to enhance openldap or fedora/netscape directory 
> >>server? or they are so badly implemented ldap servers?
> > 
> > 
> > You need to maintain the integrity of the Active Directory information
> > model regardless of the source of updates. This is difficult to
> > impossible with a frontend or proxy.
> > 
> > Building a directory server from scratch (as Samba4 are doing) or
> > extending an existing one (eg. as we did to OpenLDAP in XAD) are the
> > only options IMO.
> first of all i'm not understand deeply this part of the problem, but let 
> me allow to see the whole problem from a sysadm's point of view. it was 
> very hard for us to put together a system in a mixed unix/linux and 
> windows enviroment which even works, safe and managable. in this case we 
> need a ldap servers (porbably replicable), kerberos server and samba. of 
> course we'd liek to use only _one_ user database for everything both for 
> unux/linux and windows clients and servers. so we need one ldap server 
> (i means more replicating the _same_ data), one kerberos server, etc. 
> that's the reason why the XAD solution not realy like. i wouldn't like 
> to replace the system-wide kerberos server or replace it completly! i 
> wouldn't like to run two ntp server. and in case of samba4 wouldn't like 
> to replace ldap server or replace it completly. this means if samba4's 
> ldap server has all the feature which openldap or netscape has (or at 
> least mostly used features) than it's ok for us. otherwise we need to 
> use two different ldap for the same thing which is not managable, not 
> clean, not easy and anoying. that's my main point. and since behind both 
> openldap and netscape has a huge development it seems to me reasonable 
> to use their work or at least their experience. so try to design samba4 
> to keep in mind a bit wider requirements.

We know all this requirements, I'm a sysadmin myself.

One of the reasons I do not mind too much changing the ldap server is
that the schema needed for samba4 will be certainly incompatibile with
the samba3 ones and with most openLdap installations, so even if we were
to use openLdap, to move to a samba4 _DC_ you would have to migrate your
user base anyway.

I think that will not be necessary for samba4 domain members, or that
the migration will be easier cause we will have to change only the samba
attributes (samba4 winbindd has not yet been rewitten so this is just

Said that I want to re-estate that we are still open about the samba4
definitive Ldap server.

> and last but not least finaly some kind of non command line management 
> interface would be very usful. until then windows always be better:-(

Have you ever looked at swat2 in samba4 ?


Simo Sorce    -  idra at samba.org
Samba Team    -  http://www.samba.org
Italian Site  -  http://samba.xsec.it

More information about the samba-technical mailing list