Should we keep the Samba4 LDAP backend?

Matthias Dieter Wallnöfer mdw at
Fri Apr 1 03:26:07 MDT 2011

Hi Gennady,

do you really have ever tried the *s4* LDAP backend (we are not 
discussing about the s3 one which really works well!).

At the moment we are dipping into major problems due to the lack of LDAP 
transactions. Scripts as "upgradeprovision" are totally broken (see the 
bug report in bugzilla) since the mentioned LDAP servers don't allow 
some certain very low-level changes. It would require big efforts to 
create new APIs on these third-party programs for allowing these. When 
doing this we get more and more implementation-specific and move away 
from LDAP standards.
You can consider our model as a full LDAP server on top of another full 
LDAP server - which is very different to the one s3 uses.

Hence I prefer also abartlet's opinion on deprecating these (unless 
someone outside the team gets new interest in supporting it).

Matthias Wallnöfer

Gennady G. Marchenko wrote:
> Andrew!
>    I think  ldap backend in Samba4 must be kept. There are many a 
> priceless features that supported by openldap and users can use it 
> transparently (many type of TRANSPARENT replication, integration of 
> many services (company's internal too) in one LDAP entry and more and 
> more) without changing code of high level application (such as samba4).
> I planned to move all deployed application from smb3->smb4 and I will 
> fail that at all (!) if you remove ldap backend from samba4 :( I don't 
> think I am here alone.
> Best wishes,
> Gennady.
> 01.04.2011 12:29, Andrew Bartlett пишет:
>> I'm wondering if there is much value to be had in keeping the Samba4
>> LDAP backends (OpenLDAP and Fedora DS/389) as a supported part of the
>> Samba4 AD DC codebase.
>> I should be clear, this is not about the support for LDAP backends in
>> the NT4 DC of Samba3, even after a Samba3/Samba4 merge.
>> I don't propose to remove the ldb_map code that allows them to be
>> created, and I don't really have a view as to if the provision code
>> should be scrapped, but I wonder if we should stop having public
>> references to this functionality.
>> In the time since the LDAP backend first came into being, the LDB
>> backend has gone from strength to strength, gaining our most important
>> feature:  DRS replication.
>> At the same time, the LDAP backend is fixed schema (no dynamic update
>> currently supported), unsafe (no transactions) and really, really slow.
>> The biggest problem is that it distracts users - we regularly get
>> questions about it, dispute the de-motivational statement on the wiki:
>>> This page is a guide to setting up Samba4 to use a general purpose
>>> LDAP server as the backend. However, this mode of operation is not
>>> recommended and is only available to support some esoteric
>>> configurations. Even if you provision Samba4 with the LDAP backend,
>>> the clients will still communicate with the LDAP service provided by
>>> Samba4 on port 389 (this is necessary for correct operation as an
>>> Active Directory Domain Controller) and you'll still be forced to use
>>> the Active Directory schema. What's more, using the LDAP backend is
>>> incompatible with DRS replication. You have been warned.
>> Does anyone have any plans to further develop the LDAP backend that I
>> don't know of?  Is there any reason to keep it?
>> My proposal, if accepted, would be simply to remove the wiki pages and
>> the ability to build the ldap-backend with provision (perhaps leaving an
>> option for the test scripts).
>> When we later need to make some change that is directly incompatible
>> with the LDAP backend, then we can easily decide to do that later,
>> knowing it is no longer a goal.
>> What do folks think?
>> Andrew Bartlett

More information about the samba-technical mailing list