tldap and LDB

Andrew Bartlett abartlet at
Tue Jun 9 22:59:43 GMT 2009

On Sat, 2009-06-06 at 06:10 -0500, Volker Lendecke wrote:
> The branch, master has been updated
>        via  23b501e02a15fe94e807e279c224e5657ce47af2 (commit)
>        via  256b227b27b599fffe5746bae7132a27e2c59dd4 (commit)
>        via  1769c8d81b8b4ad7bae77fabce2bf2051a7d32c1 (commit)
>        via  7194937eea7f12a9408655654777fe19832e338a (commit)
>       from  0e261d0e9c89ff11dc37b2bfd70c74c3a06486bd (commit)

> commit 7194937eea7f12a9408655654777fe19832e338a
> Author: Volker Lendecke <vl at>
> Date:   Sat Jun 6 12:30:57 2009 +0200
>     Add the early start of an async ldap library
>     There's a lot of things this does not do yet: For example it does not parse the
>     reply blob in the sasl bind, it does not do anything with controls yet, a lot
>     of the ldap requests are not covered yet. But it provides a basis for me to
>     play with a pdb_ads passdb module.


You seem to have missed the mail I sent earlier, and I've done some more
research, so I thought I would bring this up again.

I'm rather confused by your recent work on tldap, and am not really sure
I understand what you are doing.  

What I'm wondering is why you feel the need to re-invent the whole
infrastructure here, yet again.  For example, even if you cannot for
some reason use ldb for the synchronous pdb calls (I would understand
this effort much better if pdb were async), why not at least re-use the

tldap creates structures like:

struct tldap_attribute {
	char *name;
	int num_values;
	DATA_BLOB *values;

which is almost, but not entirely like:
struct ldb_message_element {
	unsigned int flags;
	const char *name;
	unsigned int num_values;
	struct ldb_val *values;

and a return structure:
struct tldap_message {
	struct asn1_data *data;
	uint8_t *inbuf;
	int type;
	int id;

	char *dn;
	struct tldap_attribute *attribs;

which aside from the housekeeping looks so very similar to:
struct ldb_message {
	struct ldb_dn *dn;
	unsigned int num_elements;
	struct ldb_message_element *elements;

And now, having created this 'just different enough to be incompatible'
library, you are building yet another set of wrapper functions, to do
each of the little things that need to be done.  I know them well, as
both LDB and Samba4 has an impressive collection of functions (which I
see you have started to duplicate) like:

bool tldap_pull_binsid(struct tldap_message *msg, const char *attribute,
		       struct dom_sid *sid)
as a duplicate for
struct dom_sid *samdb_result_dom_sid(TALLOC_CTX *mem_ctx, 
                                     const struct ldb_message *msg,
                                     const char *attr)

bool tldap_pull_uint64(struct tldap_message *msg, const char *attr,
		       uint64_t *presult)
as a duplicate for
int64_t ldb_msg_find_attr_as_int64(const struct ldb_message *msg, 
				   const char *attr_name,
				   int64_t default_value)

Had you chosen the at least use the LDB structures, then this much you
would have had for free!

If you must insist on the new library, could you at least make it
compatible enough that it could be abstracted by LDB in future, if not
for your use, then for others?

Soon you will find it very useful to have extended DNs returned.  I
presume you will simply parse them by hand, but similarly Samba4 and LDB
already have the support for this. 

Why do you insist on so much duplication?  Why must every single aspect
be reinvented?  Why must we then re-learn all the lessons of LDAP
features and behaviour that LDB has implemented, for yet another time?

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list