Some remarks on Samba4 with OpenLDAP backend

Andrew Bartlett abartlet at samba.org
Fri Mar 20 21:00:58 GMT 2009 

On Fri, 2009-03-20 at 18:28 +0100, Michael Ströder wrote:
> Andrew Bartlett wrote:
> > On Fri, 2009-03-13 at 19:02 +0100, Michael Ströder wrote:
> >> I hope you don't get this message wrong. The job including the
> >> provisioning scripts is well done. Still I have some questions and remarks:
> >>
> >> 1. IMHO access to the LDAPI socket should also be possible for other
> >> LDAP clients on the same system. E.g. I'm running my web2ldap as
> >> separate user on the same system and probably I'd like to access the
> >> OpenLDAP backend directly. So IMHO the socket file
> >> <prefix>/private/ldap/ldapi should be moved to another directory where
> >> other clients have access. Access control should happen in slapd itself
> >> by ACLs (as already done).
> > 
> > The reason it is done like this is because I would strongly prefer that
> > the backend was not accessed directly.
> 
> Why? The OpenLDAP backend is a LDAPv3-compliant server already enforcing
> a particular schema.

For me, this isn't a good enough reason:  Just because it can be done,
does not mean it should be done.  

The stack of modules that Samba applies above the OpenLDAP server are
there for a reason, and enforce restrictions and apply semantics above
and beyond those applied by the backend.  That is why we don't allow
windows clients to connect to the backend directly. 

For example, Samba maintains the 'name' attribute in OpenLDAP manually
(mapping it to Samba4RDN).  If the backend were administered directly,
nothing would keep 'name' in sync with the RDN.  

While I will ask for this to be corrected (as it would also remove a
race), it gives you an idea of the things that stand in the way.

I'm still confused why you don't want to connect via Samba4.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20090321/dc755d54/attachment.bin

More information about the samba-technical mailing list