Is there any plan to do the openldap schema extensible?
aescanero at gmail.com
Wed Aug 26 11:39:59 MDT 2009
I'll see how to implement the user cases in the GOsa project.
Thanks a lot for the information.
2009/8/25 Michael Ströder <michael at stroeder.com>
> Andrew Bartlett wrote:
> > On Mon, 2009-08-24 at 23:42 +0200, Alejandro wrote:
> >> I'm testing samba4 with openldap backend.I want to develop a plugin for
> >> GOsa (www.gosa-project.org), this poject is a manager based on the
> >> tree.
> >> One of the firsts things i see that provisión generate a unique file for
> >> schema, doing it hard to me to integrate to other schemas...
> > Indeed. Microsoft's AD schema is hard to integrate into other schemas,
> > and Samba4 uses the AD schema.
> >> Is there any plan to make the openldap schema extensible and let it to
> >> in a deployed server?
> > There are ways this can be done, but it's a lot of work. For every area
> > where Samba4 wants to move away from what AD does, we have to implement
> > a mapping. For the moment I'm encouraging those interested in admin
> > tools to make them work with the AD schema.
> It's not only about the plain schema. Even when just thinking about a LDAP
> client tool some use-cases are different:
> 1.1 Admin resets user's password via LDAP (MOD_REPLACE unicodePwd).
> 1.2 User sets new password via LDAP (MOD_DEL/MOD_ADD unicodePwd).
> (This distinction is enforced by MS AD!)
> 2.1 Search tombstone entries (extended control 1.2.840.113518.104.22.1687).
> 2.2 Restore tombstone entries (extended control 1.2.840.113522.214.171.1247).
> 3. Temporarily deactivate user entry and manipulate other flags in
> 4. Various configuration stuff.
> Sure there are more cases.
> Upcoming web2ldap 1.1.0 handles the different use-cases 1.1 and 1.2 for
> setting unicodePwd and supports 2.1 by letting you search for tombstone
> entries. 3. is done with a plugin class for userAccountControl for
> manipulating flags in integer values. There are also some plugin classes
> allow tweaking configuration stuff (4.).
> web2ldap now honours operational attribute 'allowedAttributesEffective' to
> determine which attributes are editable for a bound user and
> 'allowedChildClasses' to determine which STRUCTURAL object classes can be
> for new entry. Not sure whether Samba 4 already supports it. There was a
> overlay added to OpenLDAP's HEAD CVS repository recently (see ITS#4730)
> implements this functionality for 'allowedAttributesEffective' and
> 'allowedAttributes'. Maybe this could also be helpful for Samba4.
> This is all tested with MS AD but I'm not sure whether Samba4 now supports
> reading the subschema subentry:
> Ciao, Michael.
Alejandro Escanero Blanco
Administrador de Sistemas GNU/Linux
Desarrollador de GOsa (http://www.gosa-project.org)
Jabber: blainett at jabberes.com
More information about the samba-technical