OpenLDAP and Samba4

Matthieu Patou mat at
Sat Apr 20 12:19:43 MDT 2013

On 04/20/2013 07:19 AM, Simo wrote:
> On 04/20/2013 06:17 AM, Luke Howard wrote:
>> On 20/04/2013, at 7:32 AM, Gémes Géza <geza at> wrote:
>>> Sorry to express my own opinion as not a samba team member or 
>>> regular developer (few small patches doesn't count), but instead of 
>>> trying to use OpenLDAP as a backend for samba, wouldn't be useful to 
>>> try to use tdb/ldb as the backend for OpenLDAP and to see what other 
>>> changes are needed in order to have it listen on 389/tcp and 636/tcp 
>>> on behalf of Samba, something like the s3fs setup?
>> That's not a bad idea: enforce the “business logic” (i.e. SAM 
>> constraints, etc) in the actual backend database itself, rather than 
>> in the layer between the protocol and the backend database. (We did 
>> something similar, but much simpler, with the NetInfo backend for 
>> OpenLDAP some years ago.)
>> However: Howard and the OpenLDAP team have invested a lot in backend 
>> database design (see back-mdb) and I would expect they'd like to 
>> leverage this, not just the protocol front-end.
> Not only them, I would really like to use OpenLDAP infinitely more 
> efficient code for Samba itself.
Patch are welcomed !
> We do have a working system but it has been always prototype level 
> code when it comes to performance, and our focus should be 
> functionality not wasting years in performance tuning, especially 
> given that work has already been done in OpenLDAP.
> I would use LDB as a backend as a transition method
So using LDB as the backend to openLDAP is for the moment something that 
we haven't done, I'm not saying it's not possible but for the moment we 
have nothing, the only thing that we had once was openLDAP as the 
backend of LDB. As the discussion seems to be going on I have the 
impression that it's not the way we want to go, and that's a good news 
because this way hasn't a lot of value to me.

Using LDB-TDB as the backend to OL is maybe not too complicated and 
shouldn't require LDAP transactions as LDB-TDB supports them and they 
are required for the RPC code.

> and slowly but steadily migrate one module after the other into an 
> OpenLDAP overlay. 
Pardon my stupidity but I'm not understanding how the OL with LDB this 
would help migrating to a mdb backend.
In my opinion moving to an MDB backend or samdb being an OL overlay is a 
huge rewrite of our code, nothing impossible but I'd like to remind the 
quote of Jeremy: "How many of you know project that have succeeded doing 
a rewrite from scratch", because although we have separate modules they 
are pretty much interdependent.
To my candide eyes it looks like proposing the same thing that was 
proposed a couple of years ago for migrating from smbd to ntvfs.
While some spend time migrating the current samdb will change in order 
to fix bugs or implement still missing features this has to be put into 
the equation.

> OpenLDAP also already solved properly multithreading issues, something 
> our current LDAP backend is not good at either. So there are many 
> reasons to move to a mature technology now that the exploration and 
> experimentation phase to find out AD peculiarities is basically over.
> We know what we need now, it is mostly not blind development anymore.
Sure just a lot of time to do it, who is ready to do it ? It's not like 
if our current implementation had a perfect feature match with the other 
implementation as far as I'm concerned I'm more interested to add new 
features, fix bugs, fix performance issues that won't be fixed 
automatically by moving to overlays rather than doing the move to OL, 
but if other wants to do it why not although I didn't had the impression 
that we had so many resources idle to handle this task.


Matthieu Patou
Samba Team

More information about the samba-technical mailing list