[IPA] Samba storing extended DN in Fedora DS

Rich Megginson rmeggins at redhat.com
Fri Oct 2 14:57:58 MDT 2009

Andrew Bartlett wrote:
> On Fri, 2009-10-02 at 15:50 -0400, Endi Sukma Dewata wrote:
>> The problem doesn't happen with the default TDB backend. The problem
>> also
>> doesn't happen with OpenLDAP backend because OpenLDAP doesn't use this
>> module.
>> What should be the right behavior? Can a backlink work with just a
>> regular DN?
>> Should the linked_attributes be modified to use a regular DN? Or
>> should the
>> syntax be changed to something else? Thanks!
> This is why linked attributes are a required feature for a good LDAP
> backend.  If you implement these correctly in the backend, then we won't
> need to load this module.  Similarly, if you implement the 'dereference'
> control, then you don't need to store an extended DN at all - you make
> it up at runtime.
> (You may also determine it profitable to store extended DNs in your
> backend, for the same performance and possibly correctness reasons that
> Samba does - avoiding looking them up at runtime, but that's a separate
> detail).
> In the short term, I think, Fedora DS should try to emulate OpenLDAP's
> current behaviour as closely as possible. (Which is why both have been
> on a TODO for Fedora DS for a while).
The current 389 (Fedora DS) 1.2.2 and later does implement the 
dereference control, and I believe it works the same way as the OpenLDAP 
> I hope this helps,
> Andrew Bartlett

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20091002/97fb52d7/attachment-0001.bin>

More information about the samba-technical mailing list