OpenLDAP backend for Samba:

Andrew Bartlett abartlet at
Mon Mar 11 23:04:35 UTC 2019

G'Day Nadezhda,

I'm just wondering what the status of this is, and if you expect to be
making further progress on this in the near future?

>From your description below it seems that much of the infrastructure
that was used for the previous OpenLDAP backend really isn't relevant
any more. 

As you can see from my WIP patch set here:
we can remove quite a bit of complexity if your work doesn't or isn't
likely to need it.

I don't mind keeping this if it will be useful, so it would be great to
get an update on your efforts and chat this over sometime.


Andrew Bartlett

On Wed, 2018-06-06 at 15:48 +0200, Nadezhda Ivanova via samba-technical 
> Something I missed:
> The overlays are published under GPLv3, to be fully compatible with the 
> Samba licence. The only exceptions are modules like pguid.c, rdnval.c, 
> and usn.c which were written before and are not part of the project. 
> rdnval is now redundant and we have "fixed" the "name" attribute in the 
> schema,  and pguid and likely usn will be part of a larger module 
> dealing with constructed attributes.
> Regards,
> Nadya
> On 06/06/2018 01:41 PM, Nadezhda Ivanova via samba-technical wrote:
> > Hi Team,
> > with
> > The current progress on Symas's OpenLDAP as a backend, or rather, on 
> > LDAP server for Samba is now publicly available at 
> > git at
> > 
> > The code is highly experimental, some of it hasn't been tested - we have 
> > only recently given up the idea of gradual replacement of Samba ldb 
> > modules, which proved impossible because of their interdependence, and 
> > started to test new code directly from OpenLDAP. A lot of the modules 
> > are investigation on how it is possible to re-use samba libraries inside 
> > OpenLDAP, mostly libcli/security.
> > 
> > Currently the modules live in contrib/slapd-modules/samba4. Everything 
> > is subject to change, improvement, suggestions or contributions, 
> > possible even the structure of the modules themselves.
> > 
> > I realize they should have been a subject of a talk at the SambaXP, but 
> > I wasn't able to submit one during the call for papers, so maybe next year.
> > 
> > As you can see, we have been experimenting with things like loading the 
> > AD schema in OpenLDAP during Samba provisioning, which means we can drop 
> > object class and attributes mapping, with SD creation and access checks, 
> > the creation of some attributes like objectGuid and ObjectSID, etc.
> > 
> > Thw way we used to work until recently is - provision Samba with the 
> > legacy OpenLDAP backend, then enable the overlay being tested, start 
> > OpenLDAP and execute some requests. This, however, is no longer possible 
> > as the legacy OpenLDAP backend has been completely broken for a while 
> > now, and we will need to reconcider the possible way Samba would 
> > communicate with OpenLDAP.
> > 
> > We have a Samba repository with very old Samba code that we still use. 
> > It has some patches, but ti this point not a lot of changes have been 
> > made to Samba itself. Mostly we needed the libcli/security library to be 
> > public, and some changes have been made to the provisioning script. None 
> > of these have been proposed to the list, as they are just a working 
> > version for now and not a final one.
> > The repository in question is this:
> > git at
> > 
> > 
> > I am at SambaXP until Friday morning if you'd like to ask me something, 
> > or just write, although I may be out of contact occasionally next week.
> > 
> > Best Regards,
> > Nadya
> > 
> > 
> > 
Andrew Bartlett
Authentication Developer, Samba Team
Samba Development and Support, Catalyst IT

More information about the samba-technical mailing list