extended provision-backend

Michael Ströder michael at stroeder.com
Thu Aug 6 09:28:25 MDT 2009

Oliver Liebel wrote:
> Michael Ströder schrieb:
>> Oliver Liebel wrote:
>>> Andrew Bartlett schrieb:
>>>> I've been thinking about it, and the
>>>> main thing I dislike is the way you try to detect another slapd process
>>>> using ps and grep.  Instead, how about trying a rootDSE search against
>>>> the ldapi socket?        
>>> what about a simple bind via python-ldap to the socket?
>> This would introduce another dependency on the python-ldap module. I
>> guess
>> Andrew would prefer if you do that with Samba4 modules.
> i am not deep enough into "other" s4 modules to know which of them are
> able to query slapd.
> at first sight there are two ways to query slapd,
> one with python-ldap, which is pretty simple,
> second with ldbsearch from s4.
> but this would make it necessary to know the location of the ldb-tools
> after install
> or to give the path manual during provision.
> so from my sight there is only one option.

Being the maintainer of python-ldap I have no personal objections against you
using it. Glad to read that it's pretty simple to use. :-)

But bear in mind that you need at least OpenLDAP's libldap (or preferrably
libldap_r) and python-ldap and optionally cyrus-sasl and OpenSSL being
installed on the system. Well, I think Andrew has to decide on that.

>> Maybe I missed something in the thread but I wonder what's the issue 
>> here. If you explicitly invoke slapd with -h "ldapi://<Samba4path> [..]"
>> the likelihood that another server not related to Samba is running there
>> is almost zero.
> yes, i see that in the same way. but you know how it is with unlikely
> cases...
>> Just food for thought: If you'd like to check whether you're really 
>> accessing the right OpenLDAP backend you could query a generated
>> provision ID in the rootDSE by slapd.conf directive 'rootDSE' which
>> points to an arbitrary LDIF file which you could generate.
> thanks, but too complicated and oversized.

IMHO it's the only solution where you can really be sure that you talk to
exactly the LDAP server you actually provisioned. Just in one of these
"unlikely cases". ;-)

Ciao, Michael.

More information about the samba-technical mailing list