OpenLDAP and Samba4
jra at samba.org
Fri Apr 19 10:59:40 MDT 2013
On Thu, Apr 18, 2013 at 09:23:08PM -0700, Matthieu Patou wrote:
> So 1st of all the biggest question is why do we want that ?
Resources. We don't have the resources to support an LDAP
server long term. Howard, via OpenLDAP does. He
wants OpenLDAP to be *the* AD LDAP server, and is willing
to work with us in order to get the code changes we need
integrated. I'd like to take him up on that offer.
> Due to AD constraints it means that when openldap is the backend for
> Samba AD it has to be dedicated to Samba all access should be done
> through Samba because any change made through DCERPC servers
> (Netlogon, DRS, LSA, ...) must be seen immediately in the LDAP
> server and also the other way around.
Sure - we would have to back-end DCERPC services onto
the LDAP store, that's understood. Remember, Luke Howard
already did this for XAD.
> Also as there is huge constraints on how the partitions must be
> organized and how the schema must be structured so you can also
> forget (correct me if I'm wrong) the idea of upgrading an openldap
> installation to give a Samba AD personality.
Let's discuss with Howard.
> Second concern is the LDAP transaction so that we can honor LDB
> transaction on this backend, this is required in order to support
> correctly DRS replication (AD to AD replication).
Again, Howard is willing to add what we need.
> Third concern is automated testing, currently every single commit
> the samba repository yield a set of tests to reduce the risk of
> regression. For the moment tests only use the latest and greatest
> version of LDAP and our internal LDAP server. If Openldap is added
> as another backend we need to understand how do we integrate this so
> that we always do some tests against the Openldap backend. It might
> mean linking with our socket_wrapper library.
This is code-mongering, fidley, but doable. We can do this if we have
the cooperation of the OpenLDAP coders.
More information about the samba-technical