Should we keep the Samba4 LDAP backend?

Andrew Bartlett abartlet at
Fri Apr 1 02:29:14 MDT 2011

I'm wondering if there is much value to be had in keeping the Samba4
LDAP backends (OpenLDAP and Fedora DS/389) as a supported part of the
Samba4 AD DC codebase.

I should be clear, this is not about the support for LDAP backends in
the NT4 DC of Samba3, even after a Samba3/Samba4 merge. 

I don't propose to remove the ldb_map code that allows them to be
created, and I don't really have a view as to if the provision code
should be scrapped, but I wonder if we should stop having public
references to this functionality. 

In the time since the LDAP backend first came into being, the LDB
backend has gone from strength to strength, gaining our most important
feature:  DRS replication. 

At the same time, the LDAP backend is fixed schema (no dynamic update
currently supported), unsafe (no transactions) and really, really slow. 

The biggest problem is that it distracts users - we regularly get
questions about it, dispute the de-motivational statement on the wiki:

> This page is a guide to setting up Samba4 to use a general purpose
> LDAP server as the backend. However, this mode of operation is not
> recommended and is only available to support some esoteric
> configurations. Even if you provision Samba4 with the LDAP backend,
> the clients will still communicate with the LDAP service provided by
> Samba4 on port 389 (this is necessary for correct operation as an
> Active Directory Domain Controller) and you'll still be forced to use
> the Active Directory schema. What's more, using the LDAP backend is
> incompatible with DRS replication. You have been warned.

Does anyone have any plans to further develop the LDAP backend that I
don't know of?  Is there any reason to keep it?  

My proposal, if accepted, would be simply to remove the wiki pages and
the ability to build the ldap-backend with provision (perhaps leaving an
option for the test scripts).  

When we later need to make some change that is directly incompatible
with the LDAP backend, then we can easily decide to do that later,
knowing it is no longer a goal.

What do folks think?

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Cisco Inc.

More information about the samba-technical mailing list