Should we keep the Samba4 LDAP backend?
Stefan (metze) Metzmacher
metze at samba.org
Fri Apr 1 03:20:18 MDT 2011
Am 01.04.2011 10:29, schrieb Andrew Bartlett:
> I'm wondering if there is much value to be had in keeping the Samba4
> LDAP backends (OpenLDAP and Fedora DS/389) as a supported part of the
> Samba4 AD DC codebase.
>
> I should be clear, this is not about the support for LDAP backends in
> the NT4 DC of Samba3, even after a Samba3/Samba4 merge.
>
> I don't propose to remove the ldb_map code that allows them to be
> created, and I don't really have a view as to if the provision code
> should be scrapped, but I wonder if we should stop having public
> references to this functionality.
>
> In the time since the LDAP backend first came into being, the LDB
> backend has gone from strength to strength, gaining our most important
> feature: DRS replication.
>
> At the same time, the LDAP backend is fixed schema (no dynamic update
> currently supported), unsafe (no transactions) and really, really slow.
>
> The biggest problem is that it distracts users - we regularly get
> questions about it, dispute the de-motivational statement on the wiki:
>
> https://wiki.samba.org/index.php/Samba4/LDAP_Backend#.28De.29motivation
>
>> This page is a guide to setting up Samba4 to use a general purpose
>> LDAP server as the backend. However, this mode of operation is not
>> recommended and is only available to support some esoteric
>> configurations. Even if you provision Samba4 with the LDAP backend,
>> the clients will still communicate with the LDAP service provided by
>> Samba4 on port 389 (this is necessary for correct operation as an
>> Active Directory Domain Controller) and you'll still be forced to use
>> the Active Directory schema. What's more, using the LDAP backend is
>> incompatible with DRS replication. You have been warned.
>
> Does anyone have any plans to further develop the LDAP backend that I
> don't know of? Is there any reason to keep it?
>
> My proposal, if accepted, would be simply to remove the wiki pages and
> the ability to build the ldap-backend with provision (perhaps leaving an
> option for the test scripts).
>
> When we later need to make some change that is directly incompatible
> with the LDAP backend, then we can easily decide to do that later,
> knowing it is no longer a goal.
>
> What do folks think?
+1
If someone needs OpenLDAP we could think about implementing replication,
so that OpenLDAP can we a read-only slave.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20110401/8467b474/attachment.pgp>
More information about the samba-technical
mailing list