OpenLDAP backend for Samba:

Nadezhda Ivanova nivanova at
Thu Mar 28 16:22:18 UTC 2019

Hi Andrew,

I just realized my answer is a bit unclear. What I mean is, if you 
haven't already, you can remove all this if it interferes with your 
work. In any case, by the time we have a patch proposal, things will 
probably look so different that it may be easier to re-submit them as a 
new patch, rather than as a modification to the current structure. In 
the mean time, we will work with a release that still has what we need.



On 28/03/2019 15:22, Nadezhda Ivanova via samba-technical wrote:
> Hi Andrew,
> Apologies for the late reply, I was dealing with some health issues 
> and some non-samba related work.
> We fully expect to be making progress in the future, in fact, another 
> Symas employee will be joining me in the project soon. He will be 
> coming to SambaXP, so if you are there, you will have the chance to 
> meet him.
> We expect we will definitely need the OpenLDAP capabilities in 
> self-test, in fact, we count on being able to eventually run them. 
> However, if they interfere or complicate the current code, maybe it's 
> best to remove them for now - it is possible that any OpenLDAP related 
> code in Samba will need to be changed anyway, before we get to a 
> version that works with a contemporary release. We will add them back 
> in, in compliance with the new structure, when needed.
> It would be convenient for us, if for the time being you do not yet 
> remove the openldap backend, even though it's broken. We may end up 
> re-writing a lot of it, but we still need it as it is at the moment.
> Regards,
> Nadya
> On 12/03/2019 01:04, Andrew Bartlett wrote:
>> G'Day Nadezhda,
>> I'm just wondering what the status of this is, and if you expect to be
>> making further progress on this in the near future?
>>  From your description below it seems that much of the infrastructure
>> that was used for the previous OpenLDAP backend really isn't relevant
>> any more.
>> As you can see from my WIP patch set here:
>> we can remove quite a bit of complexity if your work doesn't or isn't
>> likely to need it.
>> I don't mind keeping this if it will be useful, so it would be great to
>> get an update on your efforts and chat this over sometime.
>> Thanks!
>> Andrew Bartlett
>> On Wed, 2018-06-06 at 15:48 +0200, Nadezhda Ivanova via samba-technical
>> wrote:
>>> Something I missed:
>>> The overlays are published under GPLv3, to be fully compatible with the
>>> Samba licence. The only exceptions are modules like pguid.c, rdnval.c,
>>> and usn.c which were written before and are not part of the project.
>>> rdnval is now redundant and we have "fixed" the "name" attribute in the
>>> schema,  and pguid and likely usn will be part of a larger module
>>> dealing with constructed attributes.
>>> Regards,
>>> Nadya
>>> On 06/06/2018 01:41 PM, Nadezhda Ivanova via samba-technical wrote:
>>>> Hi Team,
>>>> with
>>>> The current progress on Symas's OpenLDAP as a backend, or rather, on
>>>> LDAP server for Samba is now publicly available at
>>>> git at
>>>> The code is highly experimental, some of it hasn't been tested - we 
>>>> have
>>>> only recently given up the idea of gradual replacement of Samba ldb
>>>> modules, which proved impossible because of their interdependence, and
>>>> started to test new code directly from OpenLDAP. A lot of the modules
>>>> are investigation on how it is possible to re-use samba libraries 
>>>> inside
>>>> OpenLDAP, mostly libcli/security.
>>>> Currently the modules live in contrib/slapd-modules/samba4. Everything
>>>> is subject to change, improvement, suggestions or contributions,
>>>> possible even the structure of the modules themselves.
>>>> I realize they should have been a subject of a talk at the SambaXP, 
>>>> but
>>>> I wasn't able to submit one during the call for papers, so maybe 
>>>> next year.
>>>> As you can see, we have been experimenting with things like loading 
>>>> the
>>>> AD schema in OpenLDAP during Samba provisioning, which means we can 
>>>> drop
>>>> object class and attributes mapping, with SD creation and access 
>>>> checks,
>>>> the creation of some attributes like objectGuid and ObjectSID, etc.
>>>> Thw way we used to work until recently is - provision Samba with the
>>>> legacy OpenLDAP backend, then enable the overlay being tested, start
>>>> OpenLDAP and execute some requests. This, however, is no longer 
>>>> possible
>>>> as the legacy OpenLDAP backend has been completely broken for a while
>>>> now, and we will need to reconcider the possible way Samba would
>>>> communicate with OpenLDAP.
>>>> We have a Samba repository with very old Samba code that we still use.
>>>> It has some patches, but ti this point not a lot of changes have been
>>>> made to Samba itself. Mostly we needed the libcli/security library 
>>>> to be
>>>> public, and some changes have been made to the provisioning script. 
>>>> None
>>>> of these have been proposed to the list, as they are just a working
>>>> version for now and not a final one.
>>>> The repository in question is this:
>>>> git at
>>>> I am at SambaXP until Friday morning if you'd like to ask me 
>>>> something,
>>>> or just write, although I may be out of contact occasionally next 
>>>> week.
>>>> Best Regards,
>>>> Nadya

More information about the samba-technical mailing list