OpenLDAP and Samba4

Andrew Bartlett abartlet at
Sun Apr 21 17:47:37 MDT 2013

On Sun, 2013-04-21 at 09:31 +0200, Volker Lendecke wrote:
> On Fri, Apr 19, 2013 at 02:55:23PM -0700, Jeremy Allison wrote:
> > On Fri, Apr 19, 2013 at 01:14:06PM -0700, Matthieu Patou wrote:
> > 
> > > The biggest part of our "LDAP" code is in the ldb modules unless I
> > > misunderstood something and either with tdb or openldap as the
> > > backend we will have to support this.
> > 
> > I'd still rather that code be in OpenLDAP rather
> > than Samba :-).
> What do you exactly mean by this? There's quite a bit of
> logic in the ldb modules that need to be part of the LDAP
> operations but that are definitely AD specific. I'd host
> most of that inside the Samba source code and load as
> modules into OpenLDAP.
> Another concern Tridge had with OpenLDAP was configuration
> complexity, but that was well before the config-ldap stuff.
> I think nowadays we could fire off a slapd and configure it
> completely via some privileged socket, right?

When we had the OpenLDAP backend, we solved the configuration complexity
simply by writing out the configuration files.  While it was what
started the whole LDB thing, that isn't what concerns me most about this
at this time.

As you say, most of the logic in being an AD DC turns out to live in our
LDB modules.  LDAP isn't a bolt-on - heck, even Kerberos bolts on more
than LDAP does!

The idea of uprooting that working module stack is what doesn't appeal
to me.  There is a very, very long road between 'working demo' (it might
take less than a week to hack us back to the state we had this as a
experimental feature) and 'works for all the corner cases'.  At a point
where we are focussing on supporting our users in production, I'm not at
all keen on replacing another core component.  Even the much-demanded
replacement of winbind looms larger than I'm comfortable with at this

Howard and I go back a long time, and I'm always happy to talk about
this effort, because we didn't document very clearly why we found it to
be a dead-end at the time.  But I don't want to raise any false hopes -
most of the 3 years I spent at Red Hat was on the premise that an LDAP
backend was the future direction for the then 'Samba4' project, but I
just couldn't make it work.  

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list