OpenLDAP and Samba4

Andrew Bartlett abartlet at samba.org
Tue May 21 18:07:07 MDT 2013 

On Wed, 2013-04-17 at 14:58 -0700, Howard Chu wrote:
> Hey there list, Andrew... I keep meaning to have this discussion with Andrew 
> and then it always slips by, but this time for sure.
> 
> I'll keep this short - my colleagues at Symas want to know what it will take 
> to bring OpenLDAP up to date to be usable directly by Samba as a first-class 
> recommended option, not just "yeah that should work but..." I've reviewed some 
> of the previous discussions on this topic in the archives, but I suspect some 
> of those points are now out of date.
> 
> I recall that we need to implement LDAP Transaction support, but of course 
> that's just one of many missing features. Also, are there developers on the 
> Samba team who can spend some time with us to make sure that what we write 
> actually fits with how Samba uses things?

Just looping back to the top, to fill the list in.

I've just had a great chat with Howard about his plans.  He is well
aware of the limitations, and why we didn't proceed with this.  I tried
valiantly to dissuade him, but he remains as keen as ever! :-)

The difference this time is that where before we asked for small changes
in OpenLDAP and tried to make it work as much as we could, Howard and
Symas is qualified to bring a chainsaw to the OpenLDAP side to add in
any an all hooks that an integrated solution might need.  

For example, he seems open to having OpenLDAP use gensec rather than
re-implementing that via raw GSSAPI or SASL.  That safes him a bunch of
work and pain, and means any eventual system will be internally
consistent for authentication. 

I'm sure this work will require changes on the Samba side too, but we
have had this almost work once before, and Symas proposes to apply
significant qualified resources to both the Samba and OpenLDAP sides, so
there is hope. 

I still only give Howard and Symas a 50/50 chance of succeeding, but he
is incredibly keen to give this a try, and while I retain my
reservations I will do my best not to get in their way. 

(And if you feel an urge to take on this kind of challenge, I'm sure
Symas is going to need some experienced Samba/C/LDAP engineers)

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list