[IPA] Samba storing extended DN in Fedora DS

Andrew Bartlett abartlet at samba.org
Fri Oct 2 16:43:37 MDT 2009 

On Fri, 2009-10-02 at 14:58 -0600, Rich Megginson wrote:
> Andrew Bartlett wrote:
> > On Fri, 2009-10-02 at 15:50 -0400, Endi Sukma Dewata wrote:
> >   
> >> The problem doesn't happen with the default TDB backend. The problem
> >> also
> >> doesn't happen with OpenLDAP backend because OpenLDAP doesn't use this
> >> module.
> >>
> >> What should be the right behavior? Can a backlink work with just a
> >> regular DN?
> >> Should the linked_attributes be modified to use a regular DN? Or
> >> should the
> >> syntax be changed to something else? Thanks!
> >>     
> >
> > This is why linked attributes are a required feature for a good LDAP
> > backend.  If you implement these correctly in the backend, then we won't
> > need to load this module.  Similarly, if you implement the 'dereference'
> > control, then you don't need to store an extended DN at all - you make
> > it up at runtime.
> >
> > (You may also determine it profitable to store extended DNs in your
> > backend, for the same performance and possibly correctness reasons that
> > Samba does - avoiding looking them up at runtime, but that's a separate
> > detail).
> >
> > In the short term, I think, Fedora DS should try to emulate OpenLDAP's
> > current behaviour as closely as possible. (Which is why both have been
> > on a TODO for Fedora DS for a while).
> >   
> The current 389 (Fedora DS) 1.2.2 and later does implement the 
> dereference control, and I believe it works the same way as the OpenLDAP 
> implementation.

Great.  So the main task would be to change the "fedora-ds" code in
provision to select a more similar module stack to "openldap".  

(sorry to have to call it Fedora DS still, but trying to explain why
Samba4, implementing LDAP on port 389 uses '389' as a backing store is
just too confusing). 

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20091003/37a449e1/attachment.pgp>

More information about the samba-technical mailing list