OpenLDAP and Samba4

Luke Howard lukeh at
Tue Apr 23 08:54:29 MDT 2013

> * CN is mono valuated in AD, OpenLDAP hasn't this limitation so if your current setup has object with two CN you're done.

There's a difference, of course, between migrating existing OpenLDAP deployments or just supporting OpenLDAP for new (or Samba4) ones. That would be a good thing to clarify goal-wise.

As Jeremy pointed out, it is definitely possible to have OpenLDAP enforce the AD DIT constraints. And, although my memory is hazy, I'm pretty sure that eDirectory supports multi-valued CNs and I don't actually remember any problems with Novell's DSfW vis-a-vis this.

> It has an schema attribute dhcpSubnet with OID 2.16.840.1.113719., but in default AD schema it's 1.2.840.113556.1.4.705 so if you try to import AD schema it won't work. You can tweak it but then replication with other AD servers is unlikely to work.

Right, anytime you are doing this, the AD schema has to win (or at least, you need to present it as such).

When I was at Novell, we did a couple of things: if you came in on a non-AD port (e.g. 1389), or if you used a particular LDAP control, all of the dynamic AD mapping would be turned off. So you would get something that looked a lot closer to a normal LDAP server (obviously, still with a lot of extra attributes). We had far greater conflicts with attribute and class names than the typical OpenLDAP deployment (but on the other hand, eDirectory has a richer and more abstracted data model; the LDAP server was really just a protocol front-end).

-- Luke

More information about the samba-technical mailing list