[Samba] Samba AD DC: Keeping LDAP content in VCS

Andrew Bartlett abartlet at samba.org
Sun Jul 25 17:44:43 UTC 2021 

On Sun, 2021-07-25 at 13:10 +0200, Lorenz Schori via samba wrote:
> Hi,
> 
> I am unable to find a simple tool which fulfils the following
> requirement:
> 
> 	As a directory administrator, I'd like to maintain the
> 	structure of a LDAP directory (Groups / OUs) over time using
> 	flat files checked into a VCS (version control system).
> 
> What I'm looking for is basically the equivalent of database schema
> migrations[1] as implemented in many OSS web frameworks but for LDAP
> (E.g., Rails: rake db:migrate, Django: django-admin migrate, etc.).
> 
> In a very basic implementation such a tool would take a directory
> full
> of ldif files named according to the following scheme:
> YYYY-MM-DD-NNN-whatever-{UP,DOWN}.ldif (where NNN is a serial and UP
> or
> DOWN denote whether the file should be applied when installing and
> removing a migration respectively). When run the tool would check the
> last version applied to the LDAP directory. After that it figures out
> which migrations need to be applied and then runs ldapmodify once for
> each file in the proper sequence.
> 
> If you know such a tool, then please point me towards it.

Thanks for your question Lorenz,

This - proper VCS-style change control - really is a big gap in LDAP
and AD world.  Sadly these directories and the whole structure came
around about a decade later.

We saw this most spectacularly in OpenLDAP which finished the march to
in-directory configuration (which was considered a really good idea in
the early 2000s) just as Puppet et al arrived in the early 2010s.

This means we don't record who changes what and why, and because the
administrative and the user interfaces are the same - delineated only
by ACLs - can't really either.  Which is a real pity!

But while it would be a massive task, Samba is free software and in
this increasingly dangerous world a verifiable log of changes would be
an incredible unique-to-Samba feature.  Not something I can suggest is
suddenly on anybody's funded roadmap, but I for one would gladly assist
anybody who wanted to make an attempt.

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

More information about the samba mailing list