Solutions for creating a Samba4 OpenLDAP backend

Andrew Bartlett abartlet at
Thu Jun 12 01:23:43 GMT 2008

I've had a very useful discussion with Howard on IRC this morning, and
wanted to summarise it for the lists.  It follows on from

We looked at a few things that were getting in the way of the
consistency I need for Samba4.

My primary gripe at the moment is the need to have invalid links
detected at the time of creation, and to ensure that if this happens,
nothing changes in the database.  This is the main test that currently
fails against the OpenLDAP backend.  (In short, everything else seems to

The trivial solution to this is a pre-check of the consequences of the
operation before attempting it.  This will be racy (delete concurrent
with adding a DN as a member), but can be backed by a transaction when
that functionality is exposed.

The problem with doing a pre-check is database loads and replication.
In the replicated case, we can simply not check consistency except on
the original server, as we will catch up to consistency pretty soon
(catastrophic replication failures aside). 

For database loads (from a dump), we can simply permit inconsistent
links by means of a configuration option, and hope that the admin knows
what they are doing, and that the DB will be consistent at the

If we get this much done, then I think Samba4 and OpenLDAP can continue
the forward march.  I look forward to having Samba4 'powered by
OpenLDAP', because without it (or a Fedora DS backend, with whom I'm
having a similar discussion) Samba4 does not have a replicated
deployment modal. 


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list