OpenLDAP backend for Samba:

[Andrew Bartlett]

G'Day Nadezhda,

Thanks for getting back to me.

I think this deserves a good chat at SambaXP and a look over the new
code.  I checked the git repo but it still seems to describe the old
approach this this could would be needed for so I won't rip it out
until we can check what is still needed in the new approach.

There wasn't a pressing need, I just started to investigate the
complexity of the partitions code in support of this and decided to see
what a cleanup would look like.

Of course if you do publish the new approach in the meantime I think we
can wipe out some of the OpenLDAP backend specific modules pretty fast,
like exended_dn_openldap, (I'm assuming you will be doing that stuff
 on the slapd side).

Thanks!

Andrew Bartlett

On Thu, 2019-03-28 at 18:22 +0200, Nadezhda Ivanova wrote:
> Hi Andrew,
> 
> I just realized my answer is a bit unclear. What I mean is, if you 
> haven't already, you can remove all this if it interferes with your 
> work. In any case, by the time we have a patch proposal, things will 
> probably look so different that it may be easier to re-submit them as
> a 
> new patch, rather than as a modification to the current structure.
> In 
> the mean time, we will work with a release that still has what we
> need.
> 
> 
> Regards,
> 
> Nadya
> 
> On 28/03/2019 15:22, Nadezhda Ivanova via samba-technical wrote:
> > 
> > Hi Andrew,
> > 
> > Apologies for the late reply, I was dealing with some health
> > issues 
> > and some non-samba related work.
> > 
> > We fully expect to be making progress in the future, in fact,
> > another 
> > Symas employee will be joining me in the project soon. He will be 
> > coming to SambaXP, so if you are there, you will have the chance
> > to 
> > meet him.
> > 
> > We expect we will definitely need the OpenLDAP capabilities in 
> > self-test, in fact, we count on being able to eventually run them. 
> > However, if they interfere or complicate the current code, maybe
> > it's 
> > best to remove them for now - it is possible that any OpenLDAP
> > related 
> > code in Samba will need to be changed anyway, before we get to a 
> > version that works with a contemporary release. We will add them
> > back 
> > in, in compliance with the new structure, when needed.
> > 
> > It would be convenient for us, if for the time being you do not
> > yet 
> > remove the openldap backend, even though it's broken. We may end
> > up 
> > re-writing a lot of it, but we still need it as it is at the
> > moment.
> > 
> > Regards,
> > 
> > Nadya
> > 
> > On 12/03/2019 01:04, Andrew Bartlett wrote:
> > > 
> > > G'Day Nadezhda,
> > > 
> > > I'm just wondering what the status of this is, and if you expect
> > > to be
> > > making further progress on this in the near future?
> > > 
> > >  From your description below it seems that much of the
> > > infrastructure
> > > that was used for the previous OpenLDAP backend really isn't
> > > relevant
> > > any more.
> > > 
> > > As you can see from my WIP patch set here:
> > > https://gitlab.com/samba-team/samba/merge_requests/292
> > > https://gitlab.com/samba-team/samba/merge_requests/292.patch
> > > we can remove quite a bit of complexity if your work doesn't or
> > > isn't
> > > likely to need it.
> > > 
> > > I don't mind keeping this if it will be useful, so it would be
> > > great to
> > > get an update on your efforts and chat this over sometime.
> > > 
> > > Thanks!
> > > 
> > > Andrew Bartlett
> > > 
> > > On Wed, 2018-06-06 at 15:48 +0200, Nadezhda Ivanova via samba-
> > > technical
> > > wrote:
> > > > 
> > > > Something I missed:
> > > > The overlays are published under GPLv3, to be fully compatible
> > > > with the
> > > > Samba licence. The only exceptions are modules like pguid.c,
> > > > rdnval.c,
> > > > and usn.c which were written before and are not part of the
> > > > project.
> > > > rdnval is now redundant and we have "fixed" the "name"
> > > > attribute in the
> > > > schema,  and pguid and likely usn will be part of a larger
> > > > module
> > > > dealing with constructed attributes.
> > > > 
> > > > Regards,
> > > > Nadya
> > > > 
> > > > 
> > > > On 06/06/2018 01:41 PM, Nadezhda Ivanova via samba-technical
> > > > wrote:
> > > > > 
> > > > > Hi Team,
> > > > > with
> > > > > The current progress on Symas's OpenLDAP as a backend, or
> > > > > rather, on
> > > > > LDAP server for Samba is now publicly available at
> > > > > git at github.com:Symas/samba_overlays.git
> > > > > 
> > > > > The code is highly experimental, some of it hasn't been
> > > > > tested - we 
> > > > > have
> > > > > only recently given up the idea of gradual replacement of
> > > > > Samba ldb
> > > > > modules, which proved impossible because of their
> > > > > interdependence, and
> > > > > started to test new code directly from OpenLDAP. A lot of the
> > > > > modules
> > > > > are investigation on how it is possible to re-use samba
> > > > > libraries 
> > > > > inside
> > > > > OpenLDAP, mostly libcli/security.
> > > > > 
> > > > > Currently the modules live in contrib/slapd-modules/samba4.
> > > > > Everything
> > > > > is subject to change, improvement, suggestions or
> > > > > contributions,
> > > > > possible even the structure of the modules themselves.
> > > > > 
> > > > > I realize they should have been a subject of a talk at the
> > > > > SambaXP, 
> > > > > but
> > > > > I wasn't able to submit one during the call for papers, so
> > > > > maybe 
> > > > > next year.
> > > > > 
> > > > > As you can see, we have been experimenting with things like
> > > > > loading 
> > > > > the
> > > > > AD schema in OpenLDAP during Samba provisioning, which means
> > > > > we can 
> > > > > drop
> > > > > object class and attributes mapping, with SD creation and
> > > > > access 
> > > > > checks,
> > > > > the creation of some attributes like objectGuid and
> > > > > ObjectSID, etc.
> > > > > 
> > > > > Thw way we used to work until recently is - provision Samba
> > > > > with the
> > > > > legacy OpenLDAP backend, then enable the overlay being
> > > > > tested, start
> > > > > OpenLDAP and execute some requests. This, however, is no
> > > > > longer 
> > > > > possible
> > > > > as the legacy OpenLDAP backend has been completely broken for
> > > > > a while
> > > > > now, and we will need to reconcider the possible way Samba
> > > > > would
> > > > > communicate with OpenLDAP.
> > > > > 
> > > > > We have a Samba repository with very old Samba code that we
> > > > > still use.
> > > > > It has some patches, but ti this point not a lot of changes
> > > > > have been
> > > > > made to Samba itself. Mostly we needed the libcli/security
> > > > > library 
> > > > > to be
> > > > > public, and some changes have been made to the provisioning
> > > > > script. 
> > > > > None
> > > > > of these have been proposed to the list, as they are just a
> > > > > working
> > > > > version for now and not a final one.
> > > > > The repository in question is this:
> > > > > git at github.com:Symas/samba.git
> > > > > 
> > > > > 
> > > > > I am at SambaXP until Friday morning if you'd like to ask me 
> > > > > something,
> > > > > or just write, although I may be out of contact occasionally
> > > > > next 
> > > > > week.
> > > > > 
> > > > > Best Regards,
> > > > > Nadya
> > > > > 
> > > > > 
> > > > > 
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba