OpenLDAP backend for Samba:

Nadezhda Ivanova nivanova at
Wed Jun 6 13:48:01 UTC 2018

Something I missed:
The overlays are published under GPLv3, to be fully compatible with the 
Samba licence. The only exceptions are modules like pguid.c, rdnval.c, 
and usn.c which were written before and are not part of the project. 
rdnval is now redundant and we have "fixed" the "name" attribute in the 
schema,  and pguid and likely usn will be part of a larger module 
dealing with constructed attributes.


On 06/06/2018 01:41 PM, Nadezhda Ivanova via samba-technical wrote:
> Hi Team,
> with
> The current progress on Symas's OpenLDAP as a backend, or rather, on 
> LDAP server for Samba is now publicly available at 
> git at
> The code is highly experimental, some of it hasn't been tested - we have 
> only recently given up the idea of gradual replacement of Samba ldb 
> modules, which proved impossible because of their interdependence, and 
> started to test new code directly from OpenLDAP. A lot of the modules 
> are investigation on how it is possible to re-use samba libraries inside 
> OpenLDAP, mostly libcli/security.
> Currently the modules live in contrib/slapd-modules/samba4. Everything 
> is subject to change, improvement, suggestions or contributions, 
> possible even the structure of the modules themselves.
> I realize they should have been a subject of a talk at the SambaXP, but 
> I wasn't able to submit one during the call for papers, so maybe next year.
> As you can see, we have been experimenting with things like loading the 
> AD schema in OpenLDAP during Samba provisioning, which means we can drop 
> object class and attributes mapping, with SD creation and access checks, 
> the creation of some attributes like objectGuid and ObjectSID, etc.
> Thw way we used to work until recently is - provision Samba with the 
> legacy OpenLDAP backend, then enable the overlay being tested, start 
> OpenLDAP and execute some requests. This, however, is no longer possible 
> as the legacy OpenLDAP backend has been completely broken for a while 
> now, and we will need to reconcider the possible way Samba would 
> communicate with OpenLDAP.
> We have a Samba repository with very old Samba code that we still use. 
> It has some patches, but ti this point not a lot of changes have been 
> made to Samba itself. Mostly we needed the libcli/security library to be 
> public, and some changes have been made to the provisioning script. None 
> of these have been proposed to the list, as they are just a working 
> version for now and not a final one.
> The repository in question is this:
> git at
> I am at SambaXP until Friday morning if you'd like to ask me something, 
> or just write, although I may be out of contact occasionally next week.
> Best Regards,
> Nadya

More information about the samba-technical mailing list