[PATCH] New LDAP comparing tool

Zahari Zahariev zahari.zahariev at postpath.com
Tue Dec 15 17:48:15 MST 2009 

Hello Andrew,

Thanks for the guidelines I will try my best to fix them up and to introduce also interactive password input. Did you mean that there should not be an option for command line password input? We have with ldapsheach "-w" and "-W" where with one of them you can explicitly give the password as plain text. About the OpenLDAP dependence it is just basic operations that I have done many many times in Python unittest with Ldb so no problems there. The reason I put it is because as a standalone tool openLDAP has a wider supprot on distros than Samba4 Ldb (for now) but as Samba4 tool it is reasonable to use Ldb.

I didn't really understand the setup how we can end up with 2 Samba replicas but I guess you may chip me in with more details so I can test it and see which attributes stay unchanged. 

Thanks!

----- Original Message -----
> From: Andrew Bartlett <abartlet at samba.org>
> To: Zahari Zahariev <zahari.zahariev at postpath.com>
> Cc: samba-technical at lists.samba.org <samba-technical at lists.samba.org>
> Sent: Tuesday, December 15, 2009 12:18:30 PM GMT+0200 Europe;Athens
> Subject: Re: [PATCH] New LDAP comparing tool

> > On Fri, 2009-12-11 at 16:50 +0200, Zahari Zahariev wrote:
> > Hello Samba4,
> > 
> > I have been working the last couple of weeks on comparing objects 
> and attributes between different Active Directories within the same 
> naming context. There are certain amount of given object DNs that are 
> being ignored for a couple of reasons one of them still missing some 
> place holders. After syncing both DN lists that we read for each 
> naming context in each AD (Samba4) domain then we start to compare 
> them object for object and attribute for attribute.
> > 
> > What results we can expect?
> > 
> >    1. We get to know which objects are present in the first DC but 
> not in the second and vice versa.
> >    2. We would know for two objects that are present in both DCs if 
> there are attribute(s) that are found only in the first DC but not in 
> the second (different number of attributes) and vice versa.
> >    3. We have a final Summary that says all of the above things 
> regarding attributes.
> > 
> > Indeed the tool takes a mouthful of options: host, user, password 
> for both DCs and the naming context as an argument. Note that the 
> 'user' option may take all of the known authentication methods: 
> NETBIOS\User, User at REALM, DN(User).
> > 
> > This tool will be upgraded so it will implement as many place 
> holders as possible.
> > 
> > Please look at it & test for yourself and give me any sort of 
> feedback.
> 
> The big issues I see are:
> 
>  - The fixed password - we should never have a fixed password in a 
> tool.
>  - The use of the ldap, rather than ldb libs (not major, and I know I
> indicated otherwise in the past, but it would be the first thing to
> depend on the system LDAP libs). 
>  - The lack of a test - for it to be included in Samba, it must at 
> least
> be blackbox tested (otherwise, it will break).  It should perhaps do
> this on two new reference provisions. 
> 
> We also need a more exact comparison mode, for use between Samba
> replicas, where most of the values that can vary between a provision
> will not vary between replicas.
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett                                
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
> Samba Developer, Cisco Inc.


-- 
Zahari Zahariev,
Software Engineer Cisco Systems,
PPD & Installer team

More information about the samba-technical mailing list