Should we keep the Samba4 LDAP backend?
aescanero at gmail.com
Fri Apr 1 04:38:02 MDT 2011
Although all the AD schema can't be supported by Openldap, is neccesary a
mechanism to syncronize part of samba4 with samba3 + openldap actual tree.
I don't think in syncronize all the AD tree, only a tool/method/anything
that can update a (for example) AD user schema in Openldap with the schema
There aren't real neccesity to map all the AD tree, but things like OU,
users, machines, groups, must be syncronized.
There are any tool/chance to get this solution?
2011/4/1 Andrew Bartlett <abartlet at samba.org>
> On Fri, 2011-04-01 at 11:54 +0200, Tomasz Czapiewski wrote:
> > On Fri, 1 Apr 2011, Andrew Bartlett wrote:
> > > On Fri, 2011-04-01 at 12:55 +0400, Gennady G. Marchenko wrote:
> > >> Andrew!
> > >>
> > >> I think ldap backend in Samba4 must be kept. There are many a
> > >> priceless features that supported by openldap and users can use it
> > >> transparently (many type of TRANSPARENT replication, integration of
> > >> services (company's internal too) in one LDAP entry and more and more)
> > >> without changing code of high level application (such as samba4).
> > >>
> > >> I planned to move all deployed application from smb3->smb4 and I will
> > >> fail that at all (!) if you remove ldap backend from samba4 :( I don't
> > >> think I am here alone.
> > >
> > > I should be clear, because I think there is some confusion. There are
> > > some important facts here:
> > > - The Samba4 LDAP backend never worked. It looked like it might work,
> > > but there were always problems, things that could not be easily
> > > supported.
> > > - The Samba4 LDAP backend was unsafe. Samba4 relies on having
> > > transaction support in it's backend database. The LDAP backend just
> > > bluffed and ignored that.
> > > - The Samba4 LDAP backend never used the same schema as Samba3 or
> > > typical LDAP installations, so a direct migration has never been
> > > possible (it uses the AD schema). Attempts to write mapping backends
> > > between samba3 and Samba4/AD failed (Red Hat made a serious attempt).
> > > - Samba4 will always provide it's own LDAP server, as is required to be
> > > an AD server, and will provide that on port 389 as normal. The LDAP
> > > backend was never directly able to be accessed by clients, so no plan
> > > use or not use Samba4 should be impacted by this.
> > >
> > > I know OpenLDAP and Fedora DS/389 are great LDAP servers, but they are
> > > not well suited to being AD-like LDAP servers in the modal Samba4 uses
> > > because they don't support key features like AD-interoperable
> > > replication.
> > >
> > > Andrew Bartlett
> > >
> > Could you help me understand what can or can't be done using LDB backend
> > of Samba4?
> > I've post mail with question if my plan is possible to achieve using
> > Samba4. I'll quote it at the end of this email.
> > I have probably misunderstood LDAP vs LDB backend naming.
> > Could you answer me what of these could be done using LDAP or LDB
> > backends? What can't be done if you'll drop LDAP backend?
> > (other services, like dhcp, dns, mail, jabber are as much important as
> > Samba is and it's integration would be great)
> Dropping the LDAP backend will generally make no difference to using
> Samba4 in any way that you can already use Microsoft's AD. The Samba4
> schema can be extended just like AD, in exactly the same way to support
> arbitrary additional data.
> Andrew Bartlett
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Cisco Inc.
Alejandro Escanero Blanco
Administrador de Sistemas GNU/Linux
Desarrollador de GOsa (http://www.gosa-project.org)
Jabber: blainett at jabberes.com
More information about the samba-technical