[Samba4] Using existing samba3 data from an external LDAP with samba4

Andrew Bartlett abartlet at samba.org
Tue Jan 2 11:50:00 GMT 2007

On Tue, 2006-10-24 at 17:40 +0200, Martin Kühl wrote:
> Hi,
> The following are notes I've taken while trying to connect a samba4 
> service
> to the samba3 data contained in the LDAP directory of a UCS[1] system.

> Attempted Solution #2: Schema extension
> =======================================
> 2.1: Use the samba4 schema
> --------------------------
> Install the OpenLDAP-formatted samba4 schema on X and make slapd load 
> it.
> Install the samba4 packages on Y, provision against the LDAP directory 
> of X.
> Samba3sam is not used in the process (yet).
> Problems and Workarounds:
> * Some of the OIDs/attributes/objectClasses of the samba4 schema 
> conflict with
>   the schemas loaded by slapd.  (Most of these are duplicates.)
> -> Remove conflicting entries from the samba4 schema.
> * The "person" objectClass is incompatible: a person object "must" 
> contain the
>   "sn" attribute, which isn't set for any samba4 objects.  "Person" here
>   includes users, groups and computers.
> -> Make the attribute optional in the "core" schema's "person" 
> objectClass.
> * Provisioning erases all data from the LDAP directory.
> -> Change the deletion process so that when provisioning against an LDAP
>    backend and when the partition to be deleted is the baseDN, erase 
> only
>    objects that were added by samba4.  Determine this property by 
> searching
>    for "objectCategory=*" records.
> * The baseDN record is already present in the LDAP directory but is 
> missing
>   the objectClasses "domainDNS" and "extensibleObject".  Adding the 
> former is
>   forbidden in OpenLDAP because it would change the structural 
> objectClass of
>   the record.
> -> Add the objectClasses and modify the structuralObjectClass attribute 
> via
>    slapcat/slapadd.
> * Some other records are already present in the LDAP directory.
> -> Extract these records (cn=users and cn=computers) into their own 
>    When adding them fails, try to modify the existing records instead 
> (as with
>    the baseDN).
> The above workarounds (except the first two) are contained in the 
> attachment
> `tp3-ldap.patch'; they fulfill goal (1) but not (2).

I like these changes, so I've applied the patch (with a few changes).

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20070102/5829ae9d/attachment.bin

More information about the samba-technical mailing list