OpenLDAP and Samba4

Matthieu Patou mat at matws.net
Thu Apr 18 22:23:08 MDT 2013


Hello Howard,

On 04/17/2013 02:58 PM, Howard Chu wrote:
> Hey there list, Andrew... I keep meaning to have this discussion with 
> Andrew and then it always slips by, but this time for sure.
>
> I'll keep this short - my colleagues at Symas want to know what it 
> will take to bring OpenLDAP up to date to be usable directly by Samba 
> as a first-class recommended option, not just "yeah that should work 
> but..." I've reviewed some of the previous discussions on this topic 
> in the archives, but I suspect some of those points are now out of date.
>
> I recall that we need to implement LDAP Transaction support, but of 
> course that's just one of many missing features. Also, are there 
> developers on the Samba team who can spend some time with us to make 
> sure that what we write actually fits with how Samba uses things?
Andrew B. is off this week but we discussed this subject several time.

So 1st of all the biggest question is why do we want that ?
Due to AD constraints it means that when openldap is the backend for 
Samba AD it has to be dedicated to Samba all access should be done 
through Samba because any change made through DCERPC servers (Netlogon, 
DRS, LSA, ...) must be seen immediately in the LDAP server and also the 
other way around.
Also as there is huge constraints on how the partitions must be 
organized and how the schema must be structured so you can also forget 
(correct me if I'm wrong) the idea of upgrading an openldap installation 
to give a Samba AD personality.

Second concern is the LDAP transaction so that we can honor LDB 
transaction on this backend, this is required in order to support 
correctly DRS replication (AD to AD replication).

Third concern is automated testing, currently every single commit the 
samba repository yield a set of tests to reduce the risk of regression. 
For the moment tests only use the latest and greatest version of LDAP 
and our internal LDAP server. If Openldap is added as another backend we 
need to understand how do we integrate this so that we always do some 
tests against the Openldap backend. It might mean linking with our 
socket_wrapper library.

For the moment I have nothing that comes to my memory but maybe some 
other stuff will come back to my memory.

Matthieu.


More information about the samba-technical mailing list