[PATCH] Rework idmap_ad

Volker Lendecke Volker.Lendecke at SerNet.DE
Mon Apr 18 05:15:07 UTC 2016

On Mon, Apr 18, 2016 at 05:05:43PM +1200, Andrew Bartlett wrote:
> Regarding tldap, is there any chance that for example struct
> tldap_message could wrap struct ldb_message, and the error codes could
> be shared with LDB?


> This would open up the re-use of the various ldb structure access and
> parsing functions we have built up over the years.

Yes, and it will also carry with it the dependency hell that ldb is,
together with API decisions that we have found to be questionable
later on.

> I'm not asking that you use the whole ldb module stack - we know the
> async elements didn't work out there, just to have the structures
> compatible.  I hope that will in future allow greater code re-use, for
> example in parsing and searching by extended DNs.

My opinion is that accessing raw ldb files everywhere is such a pending
security nightmare that we need to push ldb exactly where it belongs:
To the LDAP server and nowhere else. Everything else needs to go
through a socket, potentially even an on-demand locally forked ldap
server talking through a unix domain stream socketpair. Starting to
share with ldb will make getting there much harder.


SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

More information about the samba-technical mailing list