OpenLDAP and Samba4

Matthieu Patou mat at
Fri Apr 19 14:14:06 MDT 2013

On 04/19/2013 09:59 AM, Jeremy Allison wrote:
> On Thu, Apr 18, 2013 at 09:23:08PM -0700, Matthieu Patou wrote:
>> So 1st of all the biggest question is why do we want that ?
> Resources. We don't have the resources to support an LDAP
> server long term.
Do you know what is our LDAP server ?
The LDAP server of samba is just a couple of files:


And even with openldap backend this code is exercised.

The biggest part of our "LDAP" code is in the ldb modules unless I 
misunderstood something and either with tdb or openldap as the backend 
we will have to support this.

I'm sure someone will object with the LDAP controls, but the truth is 
that most of the AD controls need such intimate knowledge of the 
database that they can't be implemented in the backend they have to be 
in the samdb.
>   Howard, via OpenLDAP does. He
> wants OpenLDAP to be *the* AD LDAP server, and is willing
> to work with us in order to get the code changes we need
> integrated. I'd like to take him up on that offer.
Ok I want to see what is the proposal but if it's "just" to have 
openldap as the backend for ldb database I think it has almost no value.
>> Due to AD constraints it means that when openldap is the backend for
>> Samba AD it has to be dedicated to Samba all access should be done
>> through Samba because any change made through DCERPC servers
>> (Netlogon, DRS, LSA, ...) must be seen immediately in the LDAP
>> server and also the other way around.
> Sure - we would have to back-end DCERPC services onto
> the LDAP store, that's understood. Remember, Luke Howard
> already did this for XAD.
>> Also as there is huge constraints on how the partitions must be
>> organized and how the schema must be structured so you can also
>> forget (correct me if I'm wrong) the idea of upgrading an openldap
>> installation to give a Samba AD personality.
> Let's discuss with Howard.

Let me restate that we need to understand why this has value for us 
or/and our users and this has to be tangible.
>> Second concern is the LDAP transaction so that we can honor LDB
>> transaction on this backend, this is required in order to support
>> correctly DRS replication (AD to AD replication).
> Again, Howard is willing to add what we need.
Yeah this seems to be quite achievable.
>> Third concern is automated testing, currently every single commit
>> the samba repository yield a set of tests to reduce the risk of
>> regression. For the moment tests only use the latest and greatest
>> version of LDAP and our internal LDAP server. If Openldap is added
>> as another backend we need to understand how do we integrate this so
>> that we always do some tests against the Openldap backend. It might
>> mean linking with our socket_wrapper library.
> This is code-mongering, fidley, but doable. We can do this if we have
> the cooperation of the OpenLDAP coders.
Ok in computer science everything is possible the question is what is 
the piratical solution for this. So this must be addressed and a quite 
detailed proposal has to be made.

If I take the example of Bind9 which is not completely a 1st class 
citizen DNS server, we are "supporting" version 9.8 (n - 1) and version 
9.9 (version n) not all the distribution have the version 9.8 (debian 
stable has 9.7 for the moment) and most of the "server class" distro has 
only 9.8.
Back to Openldap it would mean that we would have to test on the stable 
version and on the latest dev one and cross the finger to not require 
too much the features in the dev version.


Matthieu Patou
Samba Team

More information about the samba-technical mailing list