Using Samba to test OpenLDAP's dirsync client implementation

Nadezhda Ivanova nivanova at
Thu Jan 3 17:36:30 UTC 2019

Hi Team,
Recently, Howard Chu implemented a replication consumer for slapd 
against Active Directory, based on the dirsync control, which can 
currently replicate users and groups.
If you are curious, it is in the master openldap branch at 

It has no bearing on the Samba/OpenLDAP project, it is an independent 

We want to setup a test environment for it, and we are thinking of using 
Samba domain controllers rather than AD as a test setup.

So, with that in mind, how close is Samba's implementation to that of 
AD? Are there any known differences and bugs that we should know about?
Most importantly, how does Samba handle some things that are not 
well-defined or seem ambiguous in the MS Documentation?

For example, if we are in the middle of retrieving incremental changes 
from one DC in the domain and it becomes unresponsive, in AD we can use 
the cookie received from one DC to poll another in the same domain, with 
unpredictable results (it is possible to return entries that have 
already been sent, for example, or even do a full sync). Does Samba 
behave the same way?

Also, how does Samba operate when a single-valued attribute has been 
deleted from an entry? AD seems to return the same entry without any 
noticeable changes, which makes it impossible to detect which attribute 
has been removed. I looked at but didn't see a test for that 
scenario, perhaps it is somewhere else?

Best Regards,

Nadezhda Ivanova

Software Engineer
Symas Corporation

More information about the samba-technical mailing list