Version 4 LDAP particulars?

Mon Jan 31 16:54:42 GMT 2005

Andrew, Peter, All,

Many thanks for your responses on this subject.  I feel less chagrined 
at having posed the question in samba-technical now, as the explanations 
that ensued are quite informative and maybe they will help the next 
"Jim" to wander through the archives with similar questions. 

And, yes, now I have a pretty good sense of what course we'll take 
(LDAP-ize Sambe 3.x while Samba 4 evolves).  Will follow this evolution 
with great interest.

Thanks again!

Jim

Andrew Bartlett wrote:

>On Sat, 2005-01-29 at 12:00 +1000, Peter Tiggerdine wrote:
>  
>
>>Jim,
>>On Fri, 2005-01-28 at 10:52 -0800, Jim Hogan wrote:
>>    
>>
>>>First, my deepest gratitude to the Samba Team.  I'll try to be brief. 
>>>Don't want to rob much of anyone's time and am almost embarassed to pose 
>>>my questions here.
>>>
>>>Situation: We run 3.10 today in simple domain model with tdb auth, but 
>>>have need of LDAP for many reasons.   I see LDAP noted as "non-release 
>>>delaying" feature for Samba 4.  
>>>      
>>>
>
>The document that you read this on is quite old, and really out of date.
>
>The Samba4 release will ship with it's own LDAP server, as this is
>required for WinXP joins (as it is convinced we are implementing Active
>Directory).
>
>  
>
>>We do not have any urgent need of AD 
>>    
>>
>>>support in Samba 4, though some "subfeatures" could be useful (group 
>>>policies, say?) if they wind up as part of V4 AD feature set.
>>>
>>>So, I am trying to evaluate "Build OpenLDAP directory today and 
>>>integrate with V3 or perhaps wait...or take some hybrid approach?"    I 
>>>looked at latest latest LDAP source from subversion and see what looks 
>>>like scratch-built LDAP server.  So my questions:
>>>      
>>>
>>I'm also at this cross-road.
>>    
>>
>
>If you have a production site now, then I strongly suggest you implement
>the best solution you can on Samba3 and OpenLDAP.  There are a number of
>'neat' things can can be done on this setup, and you will remain
>'mainstream'.
>
>  
>
>>>- Will Samba 4 still allow substitution of existing OpenLDAP/other LDAP 
>>>service for ldb support?
>>>      
>>>
>
>ldb is an interface, which can sit on top of a remote LDAP server, or a
>local tdb.  However, getting a remote LDAP server to support what we do
>will be a challenge.  
>
>  
>
>>>- Can anyone point me to V4 default LDAP schema in source?  I probably 
>>>need a dope slap but couldn't find it.
>>>      
>>>
>
>There is no schema for ldb at this stage, aside from reading the source
>to see which attributes are read/written.  In this way, ldb was
>initially designed to be schema-less.  Schema support is being added in
>the near future.
>
>  
>
>>>- To ease later migration to Samba 4, could v4 schema be applied to 
>>>build a v3 (OpenLDAP) schema for ldapsam support?
>>>      
>>>
>>I've asked metze about this and I was told that if someone wants to
>>write the tbl backend for samba4, go for it. But officially the only
>>backend that is going to be developed for now is tbl with samba's own
>>ldap.
>>    
>>
>
>The hope is that by constructing another layer of abstraction above ldb,
>queries could be translated from Samba4's schema to Samba3's schema, for
>a subset of operations.  This could then be directed against an LDAP
>server that holds Samba3 data.  
>
>Nobody has started on such a module, but I do hope it would allow some
>sort of migration path.  I don't know how difficult it will be to write,
>nor what limitiations it will place on the Samba4 server
>
>  
>
>>There is a paper floating around that Andrew Bartlet wrote on migration
>>from samba3 to samba4.  This was merely a discussion paper and gave no
>>realy solution but "food for thought"
>>    
>>
>
>Yes, I touched on this a little.  We haven't really looked at migration
>of user data at this point, but I expect that like migration between the
>Samba 2.2 and Samba3 LDAP schemas a perl script will be involved.
>
>  
>
>>I would hope that somewhere along the was that the openldap team could
>>come up wuth an acceptable working backend ( not that I don't like
>>samba's ldap implementation) for backwards compatibility with my single
>>sign-on server.
>>    
>>
>
>The Samba and OpenLDAP teams have very different goals.  We also have
>very different codebases - we tried to have OpenLDAP read ldb as a
>backend, but the code integration task simply proved too difficult.
>
>  
>
>>> Is the Samba 4 LDAP server planned to be generally useful (support 
>>>Linux sign-on, http/Apache/PHP auth in our case, say) or are there any 
>>>specific expected limitations?
>>>      
>>>
>
>I don't see any reason why any of these will be an issue, when Samba4 is
>released.  I certainly expect that a 'simple bind' as well as various
>SASL binds will be handled in an appropriate way.
>
>If you have followed any of my activity on Single Sign On, you would see
>that I care about this 'just working' very passionately.
>
>  
>
>>>- Is LDAP really non-release delaying?  If ldb is required for Samba 4 
>>>operation, how can that be?
>>>      
>>>
>
>As I say, that document needs a lot of work.  A replacement is being
>prepared.
>
>  
>