Should we keep the Samba4 LDAP backend?

Tomasz Czapiewski xeros at
Fri Apr 1 03:54:54 MDT 2011

On Fri, 1 Apr 2011, Andrew Bartlett wrote:

> On Fri, 2011-04-01 at 12:55 +0400, Gennady G. Marchenko wrote:
>> Andrew!
>>     I think  ldap backend in Samba4 must be kept. There are many a
>> priceless features that supported by openldap and users can use it
>> transparently (many type of TRANSPARENT replication, integration of many
>> services (company's internal too) in one LDAP entry and more and more)
>> without changing code of high level application (such as samba4).
>> I planned to move all deployed application from smb3->smb4 and I will
>> fail that at all (!) if you remove ldap backend from samba4 :( I don't
>> think I am here alone.
> I should be clear, because I think there is some confusion.  There are
> some important facts here:
> - The Samba4 LDAP backend never worked.  It looked like it might work,
> but there were always problems, things that could not be easily
> supported.
> - The Samba4 LDAP backend was unsafe.  Samba4 relies on having
> transaction support in it's backend database.  The LDAP backend just
> bluffed and ignored that.
> - The Samba4 LDAP backend never used the same schema as Samba3 or
> typical LDAP installations, so a direct migration has never been
> possible (it uses the AD schema).  Attempts to write mapping backends
> between samba3 and Samba4/AD failed (Red Hat made a serious attempt).
> - Samba4 will always provide it's own LDAP server, as is required to be
> an AD server, and will provide that on port 389 as normal.  The LDAP
> backend was never directly able to be accessed by clients, so no plan to
> use or not use Samba4 should be impacted by this.
> I know OpenLDAP and Fedora DS/389 are great LDAP servers, but they are
> not well suited to being AD-like LDAP servers in the modal Samba4 uses
> because they don't support key features like AD-interoperable
> replication.
> Andrew Bartlett

Could you help me understand what can or can't be done using LDB backend 
of Samba4?

I've post mail with question if my plan is possible to achieve using 
Samba4. I'll quote it at the end of this email.
I have probably misunderstood LDAP vs LDB backend naming.
Could you answer me what of these could be done using LDAP or LDB 
backends? What can't be done if you'll drop LDAP backend?
(other services, like dhcp, dns, mail, jabber are as much important as 
Samba is and it's integration would be great)

Tomasz Czapiewski

Quote mail from Feb 16 2011:
Subject: Samba4 Alpha 15 as LDAP server authentication for other services

I'm planning to use Samba Alpha 15 not only for Active Directory but 
extend it's schema for use it's backend for other services like:
a) hardware:
- switches that have option for LDAP (getting MAC addresses of machines 
and set them to VLANs),
- UTM that has both LDAP and AD options (here it would be both users and 
machines for network access),
- network printers with LDAP or AD usage options (for binding access to 
specific users, not important to have that),
- network scanners with LDAP usage option (not sure if I need it),
b) software:
- Postfix and Cyrus as mail server (authenticate users and get/set their 
e-mail adresses) [top priority],
- Squid proxy server (access for AD users, to track sites visited by 
- ejabberd Jabber server (users and passwords) [top priority],
- Bind9 DNS server (network names for workstations and site domain, site 
domain might be outside in typical bind config and delegation files)
- DHCP server (MACs for machines and some options for network boot, might 
be outside of AD in case of problems(?))

As for AD, I'll have PCs with Windows XP and Windows 7 workstations and I 
- GPO [top priority]
- roaming profiles with registry, Desktop, Documents, application settings 
keept on server, without storing files on workstation disks, [top 
- only network printers, no need to share printers by workstations or 
server, [top priority for using network printers by direct connections to 
their IPs
at 9100 port]
- block USB storage driver for workstations
- enforce proxy settings

I have few Linux servers and workstations, too that I might connect to 
LDAP of Samba4, but that's not a priority now.

I've read wiki info about different backends like OpenLDAP or Fedora_DS 
and it's restrictions...
But what about Samba4 builtin LDAP backend? Would such configuration work 
now on it?
How does builtin LDAP backend now behave when extending it's schema for 
other services?
Can I achieve it with Samba4 at current state?

As for password for other services, it's not necessary to use Samba4 AD 
paswords, such passwords might be created at profile creating using 
scripts, but
only need to bind them to AD users objects.

And only [top priority] options are really needed, I can drop other 
options in case of problems implementing them.

More information about the samba-technical mailing list