OpenLDAP and Samba4

Andrew Bartlett abartlet at
Sun Apr 21 17:55:36 MDT 2013

On Sun, 2013-04-21 at 15:00 -0700, Matthieu Patou wrote:
> On 04/21/2013 12:36 AM, Volker Lendecke wrote:
> > On Sat, Apr 20, 2013 at 11:19:43AM -0700, Matthieu Patou wrote:
> >>> and slowly but steadily migrate one module after the other into an
> >>> OpenLDAP overlay.
> >> Pardon my stupidity but I'm not understanding how the OL with LDB
> >> this would help migrating to a mdb backend.
> >> In my opinion moving to an MDB backend or samdb being an OL overlay
> >> is a huge rewrite of our code, nothing impossible but I'd like to
> >> remind the quote of Jeremy: "How many of you know project that have
> >> succeeded doing a rewrite from scratch", because although we have
> >> separate modules they are pretty much interdependent.
> > So what we need is a possibly hackish way to make this work
> > *now* with all the modules work on top off a slapd. If the
> > transactions are a concern, hack them into an extended
> > operation. Even if they stall all of the rest of OpenLDAP,
> > it won't be worse than what we have now.
> Can you develop this point, why the current situation is that bad ?

This is how I feel about this situation.  I know it would be really cool
to involve Howard more in our efforts, but for better or worse, we have
a working, tested and production solution.  We could perhaps do with
improving the efficiency of the very base level of LDB, but I'm actually
very happy with where we are.  It is quite complex code, but it has an
extensive test-suite, isn't costing us a lot of energy in it's current
state, and handles things like full AD ACLs based on the PAC, besides
many other quite-non-standard behaviours. 

> >   Then go and migrate
> > modules step by step. At some point in the future we then
> > might be able to make slapd listen itself on 389, but on the
> > way there we will benefit from OpenLDAP's better database
> > performance. If we have to solve module dependencies on
> > their way, that's going to be good for the code.
> Do not think that we have module dependencies like that just for the 
> sake of being fun, part of it is dictated by the complexity of AD.

I'm very happy with the state of our module dependencies.  The only
modules I would perhaps combine are linked_attributes and
repl_meta_data, but repl_meta_data is quite large enough on it's own. 

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list