Samba4 and LDAP

Andrew Bartlett abartlet at samba.org
Wed Feb 13 05:20:40 MST 2013 

On Tue, 2013-02-12 at 12:06 +0100, Martin Simons wrote:
> Dear All,
> 
> Jeremy Allison had an excellent presentation of Samba4 at Fosdem yesterday.
> 
> After his talk I spoke briefly to him about the interoperability between
> Samba4 and LDAP, because this seems to exist no longer. 

Thanks for taking the time to write.  We know that this area is of great
concern to administrators, and it is also a great concern to members of
the Samba team.

As background, my recent talk at the sysadmin miniconf before
linux.conf.au might help:

http://mirror.linux.org.au/linux.conf.au/2013/ogv/Samba_4.0.ogv

Also see this FAQ:

https://wiki.samba.org/index.php/Samba4/FAQ

> The onliest
> possibility left is dumping am LDAP database to an ldif file and then upload
> it to the AD compatible Samba4 server.

This is not the case.  Our 'samba-tool domain classicupgrade' tool will
import users, groups and machines from Samba domains hosted on OpenLDAP
servers.  The script is in python, and migration of other attributes
makes a lot of sense.  So far we just look for posix information like
uid/gid/homedir, but patches for other attributes are very welcome.

> The issue is towards the LDAP version that Samba4 is compatible with. As we
> know LDAP now uses the Provider Consumer model instead of the Master Slave
> model. Samba now operates on a Master Master principle, the standard of which
> is not clear to me.

Samba 4.0 as an AD DC supports (only) DRS replication following
http://msdn.microsoft.com/en-au/library/cc228086.aspx et al.

> Samba4 would have a so called classic mode that would allow to use it as a
> file server still in combination with a standardized LDAP server. This feature
> however needs to be tested more thoroughly it seems, it is not proven yet.

Samba 4.0 still supports OpenLDAP as a backend, with exactly the
functionality that was present in Samba 3.6.  This is and remains fully
supported.  This is not however an AD DC.  We know this code works,
because it is this code that we use to read users from OpenLDAP when
upgrading them to the AD DC!

> The need for a Samba server that interacts is obvious, since the LDAP service
> is used by a abundant number of services that interact with it. I name a
> couple of services I personally have experience with: Zarafa mail server and
> SugarCRM.

The best I can offer you is that these tools are very much welcome to
interoperate with Samba 4.0 as an AD DC as LDAP clients, accessing and
modifying data held in Samba's LDAP server.  This integration would be
incredibly similar to any integration they already have with Microsoft's
AD. 

> I do not want to set the Samba house to fire, because it is very deer to me,
> but I feel a strong interest in having Samba interoperate with the standard
> LDAP service. I want to involve in order to guarantee this in the long run.

I'm sorry, but an LDAP backend to the AD DC is not a viable proposition
at this point in time, as even with the addition of massive extra
resources trying to revive it would create an incredible distraction.  

The biggest issue is that a significant part of the complexity of the AD
DC turns out to be in our ldb modules.  Creating a general-purpose,
OpenLDAP backed AD DC would involve rewriting many of these modules as
OpenLDAP overlays, outside the standard Samba programming environment. 

Specific issues include the metadata required for both DRS replication
and dirsync, schema manipulation, transactions and AD-specific matching
rules. 

Finally, even if this was all done, the schema would still be the AD
schema, which removes the advantage of doing all that work in the first
place. 

I've done everything I can to leave the technical doors open for some
special case development here (I am not a vandal, and I treasure the
milestones we got to in this area), but I see no hope at this time.

> I will be in Los Angeles as of February 22th in order to attend Scale11 and I
> am prepared to meet any of you people up to march 1st, in order to see
> whatever contribution I should make.

The best place to discuss this is on this mailing list. 

I hope I've addressed your points well enough. 

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list