Should we keep the Samba4 LDAP backend?

Gennady G. Marchenko gennady.marchenko at
Fri Apr 1 02:55:26 MDT 2011


    I think  ldap backend in Samba4 must be kept. There are many a 
priceless features that supported by openldap and users can use it 
transparently (many type of TRANSPARENT replication, integration of many 
services (company's internal too) in one LDAP entry and more and more) 
without changing code of high level application (such as samba4).

I planned to move all deployed application from smb3->smb4 and I will 
fail that at all (!) if you remove ldap backend from samba4 :( I don't 
think I am here alone.

Best wishes,

01.04.2011 12:29, Andrew Bartlett пишет:
> I'm wondering if there is much value to be had in keeping the Samba4
> LDAP backends (OpenLDAP and Fedora DS/389) as a supported part of the
> Samba4 AD DC codebase.
> I should be clear, this is not about the support for LDAP backends in
> the NT4 DC of Samba3, even after a Samba3/Samba4 merge.
> I don't propose to remove the ldb_map code that allows them to be
> created, and I don't really have a view as to if the provision code
> should be scrapped, but I wonder if we should stop having public
> references to this functionality.
> In the time since the LDAP backend first came into being, the LDB
> backend has gone from strength to strength, gaining our most important
> feature:  DRS replication.
> At the same time, the LDAP backend is fixed schema (no dynamic update
> currently supported), unsafe (no transactions) and really, really slow.
> The biggest problem is that it distracts users - we regularly get
> questions about it, dispute the de-motivational statement on the wiki:
>> This page is a guide to setting up Samba4 to use a general purpose
>> LDAP server as the backend. However, this mode of operation is not
>> recommended and is only available to support some esoteric
>> configurations. Even if you provision Samba4 with the LDAP backend,
>> the clients will still communicate with the LDAP service provided by
>> Samba4 on port 389 (this is necessary for correct operation as an
>> Active Directory Domain Controller) and you'll still be forced to use
>> the Active Directory schema. What's more, using the LDAP backend is
>> incompatible with DRS replication. You have been warned.
> Does anyone have any plans to further develop the LDAP backend that I
> don't know of?  Is there any reason to keep it?
> My proposal, if accepted, would be simply to remove the wiki pages and
> the ability to build the ldap-backend with provision (perhaps leaving an
> option for the test scripts).
> When we later need to make some change that is directly incompatible
> with the LDAP backend, then we can easily decide to do that later,
> knowing it is no longer a goal.
> What do folks think?
> Andrew Bartlett

More information about the samba-technical mailing list