OpenLDAP and Samba4

Gémes Géza geza at
Sat Apr 20 11:55:13 MDT 2013

2013-04-20 19:28 keltezéssel, Matthieu Patou írta:
> On 04/19/2013 10:32 PM, Gémes Géza wrote:
>> Hi,
>>> On Fri, Apr 19, 2013 at 01:14:06PM -0700, Matthieu Patou wrote:
>>>> The biggest part of our "LDAP" code is in the ldb modules unless I
>>>> misunderstood something and either with tdb or openldap as the
>>>> backend we will have to support this.
>>> I'd still rather that code be in OpenLDAP rather
>>> than Samba :-).
>>>> Ok I want to see what is the proposal but if it's "just" to have
>>>> openldap as the backend for ldb database I think it has almost no
>>>> value.
>>> No, I don't think just remoting stuff is what
>>> we want. We want better integration - both
>>> sides will need to change.
>>>> Let me restate that we need to understand why this has value for us
>>>> or/and our users and this has to be tangible.
>>>> Ok in computer science everything is possible the question is what
>>>> is the piratical solution for this. So this must be addressed and a
>>>> quite detailed proposal has to be made.
>>> Yep. This conversation is meant not as a "we'll do
>>> this tomorrow" kind of thing, more of a "how do we
>>> get there" conversation.
>>> When I spoke to Howard I made it clear that this
>>> wasn't in the 4.0.x timeframe, nor even in the 4.1.x
>>> timeframe - more likely a Samba 5.x release, however
>>> I still think it's a good goal to move towards.
>>>> If I take the example of Bind9 which is not completely a 1st class
>>>> citizen DNS server, we are "supporting" version 9.8 (n - 1) and
>>>> version 9.9 (version n) not all the distribution have the version
>>>> 9.8 (debian stable has 9.7 for the moment) and most of the "server
>>>> class" distro has only 9.8.
>>> Bind hasn't offered resources to work directly
>>> with us to make them our "preferred" DNS server,
>>> OpenLDAP have. That's the difference to me :-).
>>>> Back to Openldap it would mean that we would have to test on the
>>>> stable version and on the latest dev one and cross the finger to not
>>>> require too much the features in the dev version.
>>> I think it's fine to prototype this in dev versions
>>> of both Samba and OpenLDAP. This is going to take
>>> a while if we can get there at all.
>>> Jeremy.
>> Sorry to express my own opinion as not a samba team member or regular 
>> developer (few small patches doesn't count), but instead of trying to 
>> use OpenLDAP as a backend for samba, wouldn't be useful to try to use 
>> tdb/ldb as the backend for OpenLDAP and to see what other changes are 
>> needed in order to have it listen on 389/tcp and 636/tcp on behalf of 
>> Samba, something like the s3fs setup?
> Why not but I'm far from being convinced of the interest of this the 
> core of our LDAP server is pretty thin and everything is then most of 
> the heavy lifting is done in samdb, so there would be ihmo not so much 
> advantage of doing so.
> Matthieu
On the other hand such a change would mean a new backend for OpenLDAP 
and the possibility to better analyze the performance implications. At 
the same time porting samdb to another storage database (e.g. to mdb 
used by OpenLDAP) while beeing a huge task could be also interesting 
performance wise. I don't see any other way to compare (stock) OpenLDAP 
and the built in LDAP server performance-wise, because the functionality 
differences they represent today.

Just my 2c's.


Geza Gemes

More information about the samba-technical mailing list