[Samba] samba4 openldap

Geoff Scott geoffs at guestshire.com
Tue May 24 01:35:58 GMT 2005

Sorry for the cross posting but I think it's important that the Openexchange
guys see this.

Tony Earnshaw wrote:
> man, 23.05.2005 kl. 17.50 skrev Caleb O'Connell:
>> Is there a change however you can just choose a different datastore
>> in the config file though?  so you can choose to use the built in
>> ldap or to just use an openLDAP datastore.  The ldap scheme I
>> imagine would 
>> stay the same, just the database itself and the ldap program itself
>> ldb samba4 is going to be using.  I was just curious for obvious
>> reasons. 
> There won't be a schema any more. During the weekend I googled for
> Samba4 docs and subscribed to the tecchie list. What came up was
> enough to ensure that I'll keep my mouth shut about Samba4 and LDAP
> until they're there.  

> There will basically probably be a complete LDAP and total database
> rethink (keyword is "ldb"). Unless people are *very* familiar with
> OpenLDAP's (2.2 and 2.3) meta backend and proxy concepts, unless the
> Samba crew is willing to do it all for one, one'd better forget
> everything one ever learned about integrating Samba and any present
> OpenLDAP DSE. 

This leaves me very worried as a sysadmin for a small company.  I will
explain why further down.

> So either go out digging for docs to find out what is going to
> overwhelm you, or lie back and be prepared to let it do so ;) 

I've dug for docs.  I found Tridges recent thoughts on Samba4 on the
personal section for him on the samba site a couple of weeks ago.  To people
of the lay class, such as myself, it doesn't explain much about whether
there is going to be some sort of ldap schema translation.  It's all as
abartlett says in recent posts "I hope" "I think" "maybe", which is very

I've read 2/3 Linux journals where JRA has said, IIRC, that one of the key
reasons companies don't adopt samba is due to the corporate reliance on MS
Exchange.  So for years I have been searching for something that will
replace it.  The 2 projects that come close to completely replacing MS
Exchange are opengroupware.org and openexchange.  Both of these projects
have a reliance on their own LDAP schemas and POSIX account attributes.  I
personally chose to use openexchange due to the storage of personal & public
addressbooks in LDAP.  (which naturally allows plenty of other applications
to use them, rather than as OGO does putting them in a "proper" db backend,
and yes I know that a very competent sysadmin can expose that db through
LDAP.  After having read Adam Tuano Williams docs on it, I don't want to go

Now I have hacked the smbldap tools to allow me to vampire over an old
windows NT domain with all of the users having openexchange attributes added
to them in ldap automatically.  I did this last night and basically the
implementation looks fine.  So in a week I will start to migrate email
accounts over and smarthost the system for the old exchange server and users
still on that.  But, I will only go ahead if there is going to be a way to
keep the integration between these 2 projects going.  

So please can those on this list tell me with any great detail what will
happen with Samba4 and LDAP schemas?

Either I jettison this implementation and switch to MS 2003 with Exchange,
or other projects find a way to integrate with what the Samba team is doing,
or the Samba team finds a way to maintain some sort of compatibility with
other FOSS projects using openldap.

The only reason I ask is that I would still like to have a job in a year or
2.  I don't want to go down the samba / openexchange road. And then get
sacked / told to move everything back to Microsoft products by my bosses,
because the integrated solution that was a very close fit to a windows
domain with MS Exchange, doesn't work anymore.

Regards Geoff Scott

Please find below what a typical user ends up with in LDAP for their user
account and private address book:

dn: uid=gfhoffice,ou=Users,ou=OxObjects,dc=guestsfurniturehire,dc=com,dc=au
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: OXUserObject
objectClass: person
objectClass: sambaSamAccount
cn: gfhoffice
sn: gfhoffice
uid: gfhoffice
uidNumber: 2041
gidNumber: 513
homeDirectory: /home/gfhoffice
loginShell: /bin/bash
gecos: System User
userPassword:: e2NyeXB0fXg=
structuralObjectClass: inetOrgPerson
entryUUID: 528ef8f0-5fa7-1029-95d2-aae0cf82c0df
cn=Manager,ou=Users,ou=OxObjects,dc=guestsfurniturehire,dc=com,d c=au
createTimestamp: 20050523072336Z
givenName: gfhoffice
shadowMin: 0
shadowMax: 9999
shadowWarning: 7
shadowExpire: 0
mail: snip at guestshire.com
mailDomain: guest----shire.com
preferredLanguage: EN
OXAppointmentDays: 9
OXGroupID: 500
OXTaskDays: 9
OXTimeZone: Australia/Sydney
o: Guests Furniture Hire
userCountry: Australia
mailEnabled: OK
lnetMailAccess: TRUE
sambaSID: S-1-5-21-snip2-1363
sambaPrimaryGroupSID: S-1-5-21-snip-513
displayName: GFHoffice
description: Head Office - disabled
sambaLMPassword: snip
sambaNTPassword: snip
sambaPwdLastSet: 1116833017
sambaAcctFlags: [DU         ]
entryCSN: 20050523072337Z#000001#00#000000
modifyTimestamp: 20050523072337Z

objectClass: top
objectClass: organizationalUnit
ou: addr
structuralObjectClass: organizationalUnit
entryUUID: 52950c22-5fa7-1029-95d3-aae0cf82c0df
createTimestamp: 20050523072336Z
entryCSN: 20050523072336Z#00000b#00#000000
modifyTimestamp: 20050523072336Z

More information about the samba mailing list