OpenLDAP and Samba4
mat at matws.net
Thu Apr 18 22:23:08 MDT 2013
On 04/17/2013 02:58 PM, Howard Chu wrote:
> Hey there list, Andrew... I keep meaning to have this discussion with
> Andrew and then it always slips by, but this time for sure.
> I'll keep this short - my colleagues at Symas want to know what it
> will take to bring OpenLDAP up to date to be usable directly by Samba
> as a first-class recommended option, not just "yeah that should work
> but..." I've reviewed some of the previous discussions on this topic
> in the archives, but I suspect some of those points are now out of date.
> I recall that we need to implement LDAP Transaction support, but of
> course that's just one of many missing features. Also, are there
> developers on the Samba team who can spend some time with us to make
> sure that what we write actually fits with how Samba uses things?
Andrew B. is off this week but we discussed this subject several time.
So 1st of all the biggest question is why do we want that ?
Due to AD constraints it means that when openldap is the backend for
Samba AD it has to be dedicated to Samba all access should be done
through Samba because any change made through DCERPC servers (Netlogon,
DRS, LSA, ...) must be seen immediately in the LDAP server and also the
other way around.
Also as there is huge constraints on how the partitions must be
organized and how the schema must be structured so you can also forget
(correct me if I'm wrong) the idea of upgrading an openldap installation
to give a Samba AD personality.
Second concern is the LDAP transaction so that we can honor LDB
transaction on this backend, this is required in order to support
correctly DRS replication (AD to AD replication).
Third concern is automated testing, currently every single commit the
samba repository yield a set of tests to reduce the risk of regression.
For the moment tests only use the latest and greatest version of LDAP
and our internal LDAP server. If Openldap is added as another backend we
need to understand how do we integrate this so that we always do some
tests against the Openldap backend. It might mean linking with our
For the moment I have nothing that comes to my memory but maybe some
other stuff will come back to my memory.
More information about the samba-technical