Should we keep the Samba4 LDAP backend?

Stefan (metze) Metzmacher metze at
Fri Apr 1 03:20:18 MDT 2011

Am 01.04.2011 10:29, schrieb Andrew Bartlett:
> I'm wondering if there is much value to be had in keeping the Samba4
> LDAP backends (OpenLDAP and Fedora DS/389) as a supported part of the
> Samba4 AD DC codebase.
> I should be clear, this is not about the support for LDAP backends in
> the NT4 DC of Samba3, even after a Samba3/Samba4 merge. 
> I don't propose to remove the ldb_map code that allows them to be
> created, and I don't really have a view as to if the provision code
> should be scrapped, but I wonder if we should stop having public
> references to this functionality. 
> In the time since the LDAP backend first came into being, the LDB
> backend has gone from strength to strength, gaining our most important
> feature:  DRS replication. 
> At the same time, the LDAP backend is fixed schema (no dynamic update
> currently supported), unsafe (no transactions) and really, really slow. 
> The biggest problem is that it distracts users - we regularly get
> questions about it, dispute the de-motivational statement on the wiki:
>> This page is a guide to setting up Samba4 to use a general purpose
>> LDAP server as the backend. However, this mode of operation is not
>> recommended and is only available to support some esoteric
>> configurations. Even if you provision Samba4 with the LDAP backend,
>> the clients will still communicate with the LDAP service provided by
>> Samba4 on port 389 (this is necessary for correct operation as an
>> Active Directory Domain Controller) and you'll still be forced to use
>> the Active Directory schema. What's more, using the LDAP backend is
>> incompatible with DRS replication. You have been warned.
> Does anyone have any plans to further develop the LDAP backend that I
> don't know of?  Is there any reason to keep it?  
> My proposal, if accepted, would be simply to remove the wiki pages and
> the ability to build the ldap-backend with provision (perhaps leaving an
> option for the test scripts).  
> When we later need to make some change that is directly incompatible
> with the LDAP backend, then we can easily decide to do that later,
> knowing it is no longer a goal.
> What do folks think?


If someone needs OpenLDAP we could think about implementing replication,
so that OpenLDAP can we a read-only slave.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list