Version 4 LDAP particulars?
Jim Hogan
jimh at u.washington.edu
Mon Jan 31 16:54:42 GMT 2005
Andrew, Peter, All,
Many thanks for your responses on this subject. I feel less chagrined
at having posed the question in samba-technical now, as the explanations
that ensued are quite informative and maybe they will help the next
"Jim" to wander through the archives with similar questions.
And, yes, now I have a pretty good sense of what course we'll take
(LDAP-ize Sambe 3.x while Samba 4 evolves). Will follow this evolution
with great interest.
Thanks again!
Jim
Andrew Bartlett wrote:
>On Sat, 2005-01-29 at 12:00 +1000, Peter Tiggerdine wrote:
>
>
>>Jim,
>>On Fri, 2005-01-28 at 10:52 -0800, Jim Hogan wrote:
>>
>>
>>>First, my deepest gratitude to the Samba Team. I'll try to be brief.
>>>Don't want to rob much of anyone's time and am almost embarassed to pose
>>>my questions here.
>>>
>>>Situation: We run 3.10 today in simple domain model with tdb auth, but
>>>have need of LDAP for many reasons. I see LDAP noted as "non-release
>>>delaying" feature for Samba 4.
>>>
>>>
>
>The document that you read this on is quite old, and really out of date.
>
>The Samba4 release will ship with it's own LDAP server, as this is
>required for WinXP joins (as it is convinced we are implementing Active
>Directory).
>
>
>
>>We do not have any urgent need of AD
>>
>>
>>>support in Samba 4, though some "subfeatures" could be useful (group
>>>policies, say?) if they wind up as part of V4 AD feature set.
>>>
>>>So, I am trying to evaluate "Build OpenLDAP directory today and
>>>integrate with V3 or perhaps wait...or take some hybrid approach?" I
>>>looked at latest latest LDAP source from subversion and see what looks
>>>like scratch-built LDAP server. So my questions:
>>>
>>>
>>I'm also at this cross-road.
>>
>>
>
>If you have a production site now, then I strongly suggest you implement
>the best solution you can on Samba3 and OpenLDAP. There are a number of
>'neat' things can can be done on this setup, and you will remain
>'mainstream'.
>
>
>
>>>- Will Samba 4 still allow substitution of existing OpenLDAP/other LDAP
>>>service for ldb support?
>>>
>>>
>
>ldb is an interface, which can sit on top of a remote LDAP server, or a
>local tdb. However, getting a remote LDAP server to support what we do
>will be a challenge.
>
>
>
>>>- Can anyone point me to V4 default LDAP schema in source? I probably
>>>need a dope slap but couldn't find it.
>>>
>>>
>
>There is no schema for ldb at this stage, aside from reading the source
>to see which attributes are read/written. In this way, ldb was
>initially designed to be schema-less. Schema support is being added in
>the near future.
>
>
>
>>>- To ease later migration to Samba 4, could v4 schema be applied to
>>>build a v3 (OpenLDAP) schema for ldapsam support?
>>>
>>>
>>I've asked metze about this and I was told that if someone wants to
>>write the tbl backend for samba4, go for it. But officially the only
>>backend that is going to be developed for now is tbl with samba's own
>>ldap.
>>
>>
>
>The hope is that by constructing another layer of abstraction above ldb,
>queries could be translated from Samba4's schema to Samba3's schema, for
>a subset of operations. This could then be directed against an LDAP
>server that holds Samba3 data.
>
>Nobody has started on such a module, but I do hope it would allow some
>sort of migration path. I don't know how difficult it will be to write,
>nor what limitiations it will place on the Samba4 server
>
>
>
>>There is a paper floating around that Andrew Bartlet wrote on migration
>>from samba3 to samba4. This was merely a discussion paper and gave no
>>realy solution but "food for thought"
>>
>>
>
>Yes, I touched on this a little. We haven't really looked at migration
>of user data at this point, but I expect that like migration between the
>Samba 2.2 and Samba3 LDAP schemas a perl script will be involved.
>
>
>
>>I would hope that somewhere along the was that the openldap team could
>>come up wuth an acceptable working backend ( not that I don't like
>>samba's ldap implementation) for backwards compatibility with my single
>>sign-on server.
>>
>>
>
>The Samba and OpenLDAP teams have very different goals. We also have
>very different codebases - we tried to have OpenLDAP read ldb as a
>backend, but the code integration task simply proved too difficult.
>
>
>
>>> Is the Samba 4 LDAP server planned to be generally useful (support
>>>Linux sign-on, http/Apache/PHP auth in our case, say) or are there any
>>>specific expected limitations?
>>>
>>>
>
>I don't see any reason why any of these will be an issue, when Samba4 is
>released. I certainly expect that a 'simple bind' as well as various
>SASL binds will be handled in an appropriate way.
>
>If you have followed any of my activity on Single Sign On, you would see
>that I care about this 'just working' very passionately.
>
>
>
>>>- Is LDAP really non-release delaying? If ldb is required for Samba 4
>>>operation, how can that be?
>>>
>>>
>
>As I say, that document needs a lot of work. A replacement is being
>prepared.
>
>
>
More information about the samba-technical
mailing list