[IPA] Samba storing extended DN in Fedora DS
Rich Megginson
rmeggins at redhat.com
Fri Oct 2 14:57:58 MDT 2009
Andrew Bartlett wrote:
> On Fri, 2009-10-02 at 15:50 -0400, Endi Sukma Dewata wrote:
>
>> The problem doesn't happen with the default TDB backend. The problem
>> also
>> doesn't happen with OpenLDAP backend because OpenLDAP doesn't use this
>> module.
>>
>> What should be the right behavior? Can a backlink work with just a
>> regular DN?
>> Should the linked_attributes be modified to use a regular DN? Or
>> should the
>> syntax be changed to something else? Thanks!
>>
>
> This is why linked attributes are a required feature for a good LDAP
> backend. If you implement these correctly in the backend, then we won't
> need to load this module. Similarly, if you implement the 'dereference'
> control, then you don't need to store an extended DN at all - you make
> it up at runtime.
>
> (You may also determine it profitable to store extended DNs in your
> backend, for the same performance and possibly correctness reasons that
> Samba does - avoiding looking them up at runtime, but that's a separate
> detail).
>
> In the short term, I think, Fedora DS should try to emulate OpenLDAP's
> current behaviour as closely as possible. (Which is why both have been
> on a TODO for Fedora DS for a while).
>
The current 389 (Fedora DS) 1.2.2 and later does implement the
dereference control, and I believe it works the same way as the OpenLDAP
implementation.
> I hope this helps,
>
> Andrew Bartlett
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20091002/97fb52d7/attachment-0001.bin>
More information about the samba-technical
mailing list