[Samba] LDAP with Samba4

Adi Kriegisch adi at cg.tuwien.ac.at
Tue Mar 10 04:10:30 MDT 2015


Thank you for your answers!

> >A full-blown OpenLDAP server is able to do replication.
> >The advantage of this is that servers/services may run without having
> >access to the master OpenLDAP server and there is more: using decent crypto
> >settings for the connection slows down lookups; another reason for using
> >LDAP on localhost (or even better ldapi).
> AD does replication and if required, you can run openldap on the
> same machine as AD, but you cannot run it on ports 389 & 686.
I doubt AD replication will scale to 50+ machines easily and I am not sure
I want the full AD stack on all of those machines.
The OpenLDAP is "just" acting as a proxy which means it cannot do
replication on its own.
> >>I believe that there is (or is that was?) some work going on to try
> >>and make a samba4 AD DC use Openldap instead of the built ldap, but
> >>it seems to have gone quiet on that front lately.
> >Too bad. Do others then manually sync accounts between OpenLDAP and
> >Samba/AD? Is there an interface that (kind of) streams out LDIF-Changesets?
> >Is there a way to get plain LDIF out of Samba/AD?
> I cannot speak for other users, but I am sure that somebody is doing
> what you want to do, but I also think most people will be using AD
> just for authentication. You can extract LDIFs from AD, but they are
> not exactly like Openldap ones.
Would be great to hear of one of those! :)
Are those LDIFs rather full tree dumps or incrementals? Or in other words:
would I be required to parse the full AD tree and implement some kind of
syncing or is it possible to get just the changes?

Thanks for your help!

-- Adi

More information about the samba mailing list