OpenLDAP backend for Samba:

Nadezhda Ivanova nivanova at
Thu Mar 28 13:22:44 UTC 2019

Hi Andrew,

Apologies for the late reply, I was dealing with some health issues and 
some non-samba related work.

We fully expect to be making progress in the future, in fact, another 
Symas employee will be joining me in the project soon. He will be coming 
to SambaXP, so if you are there, you will have the chance to meet him.

We expect we will definitely need the OpenLDAP capabilities in 
self-test, in fact, we count on being able to eventually run them. 
However, if they interfere or complicate the current code, maybe it's 
best to remove them for now - it is possible that any OpenLDAP related 
code in Samba will need to be changed anyway, before we get to a version 
that works with a contemporary release. We will add them back in, in 
compliance with the new structure, when needed.

It would be convenient for us, if for the time being you do not yet 
remove the openldap backend, even though it's broken. We may end up 
re-writing a lot of it, but we still need it as it is at the moment.



On 12/03/2019 01:04, Andrew Bartlett wrote:
> G'Day Nadezhda,
> I'm just wondering what the status of this is, and if you expect to be
> making further progress on this in the near future?
>  From your description below it seems that much of the infrastructure
> that was used for the previous OpenLDAP backend really isn't relevant
> any more.
> As you can see from my WIP patch set here:
> we can remove quite a bit of complexity if your work doesn't or isn't
> likely to need it.
> I don't mind keeping this if it will be useful, so it would be great to
> get an update on your efforts and chat this over sometime.
> Thanks!
> Andrew Bartlett
> On Wed, 2018-06-06 at 15:48 +0200, Nadezhda Ivanova via samba-technical
> wrote:
>> Something I missed:
>> The overlays are published under GPLv3, to be fully compatible with the
>> Samba licence. The only exceptions are modules like pguid.c, rdnval.c,
>> and usn.c which were written before and are not part of the project.
>> rdnval is now redundant and we have "fixed" the "name" attribute in the
>> schema,  and pguid and likely usn will be part of a larger module
>> dealing with constructed attributes.
>> Regards,
>> Nadya
>> On 06/06/2018 01:41 PM, Nadezhda Ivanova via samba-technical wrote:
>>> Hi Team,
>>> with
>>> The current progress on Symas's OpenLDAP as a backend, or rather, on
>>> LDAP server for Samba is now publicly available at
>>> git at
>>> The code is highly experimental, some of it hasn't been tested - we have
>>> only recently given up the idea of gradual replacement of Samba ldb
>>> modules, which proved impossible because of their interdependence, and
>>> started to test new code directly from OpenLDAP. A lot of the modules
>>> are investigation on how it is possible to re-use samba libraries inside
>>> OpenLDAP, mostly libcli/security.
>>> Currently the modules live in contrib/slapd-modules/samba4. Everything
>>> is subject to change, improvement, suggestions or contributions,
>>> possible even the structure of the modules themselves.
>>> I realize they should have been a subject of a talk at the SambaXP, but
>>> I wasn't able to submit one during the call for papers, so maybe next year.
>>> As you can see, we have been experimenting with things like loading the
>>> AD schema in OpenLDAP during Samba provisioning, which means we can drop
>>> object class and attributes mapping, with SD creation and access checks,
>>> the creation of some attributes like objectGuid and ObjectSID, etc.
>>> Thw way we used to work until recently is - provision Samba with the
>>> legacy OpenLDAP backend, then enable the overlay being tested, start
>>> OpenLDAP and execute some requests. This, however, is no longer possible
>>> as the legacy OpenLDAP backend has been completely broken for a while
>>> now, and we will need to reconcider the possible way Samba would
>>> communicate with OpenLDAP.
>>> We have a Samba repository with very old Samba code that we still use.
>>> It has some patches, but ti this point not a lot of changes have been
>>> made to Samba itself. Mostly we needed the libcli/security library to be
>>> public, and some changes have been made to the provisioning script. None
>>> of these have been proposed to the list, as they are just a working
>>> version for now and not a final one.
>>> The repository in question is this:
>>> git at
>>> I am at SambaXP until Friday morning if you'd like to ask me something,
>>> or just write, although I may be out of contact occasionally next week.
>>> Best Regards,
>>> Nadya

More information about the samba-technical mailing list