[IPA] Samba storing extended DN in Fedora DS

Andrew Bartlett abartlet at samba.org
Fri Oct 2 14:50:45 MDT 2009

On Fri, 2009-10-02 at 15:50 -0400, Endi Sukma Dewata wrote:
> The problem doesn't happen with the default TDB backend. The problem
> also
> doesn't happen with OpenLDAP backend because OpenLDAP doesn't use this
> module.
> What should be the right behavior? Can a backlink work with just a
> regular DN?
> Should the linked_attributes be modified to use a regular DN? Or
> should the
> syntax be changed to something else? Thanks!

This is why linked attributes are a required feature for a good LDAP
backend.  If you implement these correctly in the backend, then we won't
need to load this module.  Similarly, if you implement the 'dereference'
control, then you don't need to store an extended DN at all - you make
it up at runtime.

(You may also determine it profitable to store extended DNs in your
backend, for the same performance and possibly correctness reasons that
Samba does - avoiding looking them up at runtime, but that's a separate

In the short term, I think, Fedora DS should try to emulate OpenLDAP's
current behaviour as closely as possible. (Which is why both have been
on a TODO for Fedora DS for a while).

I hope this helps,

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20091003/62337de9/attachment.pgp>

More information about the samba-technical mailing list