tldap and LDB

Andrew Bartlett abartlet at
Fri Jun 12 09:50:12 GMT 2009

On Wed, 2009-06-10 at 09:08 +1000, tridge at wrote:
> Hi Volker,
> I'm also a bit confused about the goals here, but for slightly
> different reasons. The core asn1 level of tldap seems to be a
> duplicate of libcli/ldap/ and the higher level routines are a
> duplicate of source4/libcli/ldap. Why duplicate this again?
> The incompatible data structures that Andrew points out are likely to
> be a source of unnecessary pain in the future.
> I also puzzled about the broader aims. You seem to be now aiming for a
> ADS DC using the ldap protocol to talk to the database? That will
> cause a lot of pain I think - for example, how will you handle the
> need for transactions in RPC operations?


I have to say, the idea of pdb_ads, if done differently, could be a very
powerful and useful thing.

Imagine pdb_ads backed onto LDB, and able to be extended easily (without
he upgrade issues of pdb_tdb), and loading the full set of Samba4 LDB
modules.  The same codebase would support local Samba3 installs, even
Samba3 domain controllers (in NT4 mode), and Samba4.

The smbpasswd tool would directly load the LDB modules and the on-disk
ldb_tdb based database.  Similarly, the pdbedit tool could be used to
help import users (pdbedit -i -e), without needing to maintain separate
and distinct tools.  Similarly, these tools would continue to operate as
they do today, without a running server.


I think you do underestimate the task is in reimplementing the RPC
servers.  An AD domain controller is more than just adding LDAP and
Kerberos to the existing system.  It certainly does share much of the
same API, but quite a different implementation. 

Why waste time and effort re-implementing these, and then their
associated security mechanisms etc, rather than just use those already
working in Samba4?

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list