LDAP/Samba 4 summary

Andrew Bartlett abartlet at samba.org
Tue Oct 2 20:39:06 GMT 2007

On Tue, 2007-10-02 at 13:02 -0700, Howard Chu wrote:
> Andrew Bartlett wrote:
> > (please forgive the cross-posting to subscriber-only lists)
> > 
> > Howard Chu helpfully wrote up this summary of the meeting we held at the
> > CIFS Workshop on how Samba4 should work with an LDAP backend.
> > 
> > The background is that Samba4 increasingly needs some things that an
> > LDAP server could provide for us.  In the short term, we need to add
> > subtree renames to ldb_tdb, but OpenLDAP's hdb already provides this for
> > us.  
> > 
> > Likewise, we have a desperate need for replication (because any site in
> > need of Samba4's features will want multiple DCs) - and Fedora DS's
> > replication seems like a very good, solid answer.  (Sadly it doesn't
> > give us subtree renames...).
> Multimaster replication is also in OpenLDAP 2.4 (which is currently still in 
> beta - we're still shaking it down, more testers would probably be helpful at 
> some point).

I'll have to keep an eye on that. 

> > Another feature we don't yet do schema validation in Samba4, beyond
> > checking that the objectClass list is valid.  We need to extend that,
> > but perhaps the LDAP server could do that validation for us?
> Right, since LDAP doesn't really depend on schema-aware clients this is the 
> LDAP server's responsibility. (As opposed to X.500, where every agent in the 
> system must be fully schema aware.)

Yes, but we may not wish to have the backend server be as fully aware as
Samba about the full monster that is the AD schema, or we may wish to
pre-empt the backend server's response.  For example, if Samba
implements a 'no-user-modification' attribute in a module, we will have
to remove that tag from the OpenLDAP/FedoraDS schema, and prevent that
modification ourselves. 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20071002/d51251f4/attachment.bin

More information about the samba-technical mailing list