Using Samba to test OpenLDAP's dirsync client implementation

[Garming Sam]

Hi Nadya,

On 4/01/19 6:36 AM, Nadezhda Ivanova via samba-technical wrote:
> Recently, Howard Chu implemented a replication consumer for slapd
> against Active Directory, based on the dirsync control, which can
> currently replicate users and groups.
> If you are curious, it is in the master openldap branch at
> git://git.openldap.org/openldap.git

So you mean it's specifically a mechanism of synchronizing users and
groups from an AD DC to OpenLDAP?

>
> It has no bearing on the Samba/OpenLDAP project, it is an independent
> feature.
>
> We want to setup a test environment for it, and we are thinking of
> using Samba domain controllers rather than AD as a test setup.
>
> So, with that in mind, how close is Samba's implementation to that of
> AD? Are there any known differences and bugs that we should know about?
> Most importantly, how does Samba handle some things that are not
> well-defined or seem ambiguous in the MS Documentation?

The last time the core logic was worked on was 2012-2013 I think. Maybe
metze remembers details on its internals because he made some changes
more recently than that -- but I think that was mostly as a consumer of
dirsync though. I also recently briefly investigated it because of a bug
due to cookie length restrictions. As long as you use Samba master, you
should be able to avoid that issue. If you do find any issues with NDR
pulling of the cookie, then this is related.

(You should also note that the cookie length must be arbitrarily long
due to the replication up-to-date-vector allowing an unbounded list of DCs).

There are definitely behavior differences between Windows and Samba
(which Tim might be able to comment on). For instance, the difference
between no attributes and invalid attributes supplied in the search --
and there are a number of similar cases I believe which were never fully
exhausted. I'm not aware of any fundamental issues (or differences), but
I suspect a number of edge cases to vary in behaviour to Windows.

> For example, if we are in the middle of retrieving incremental changes
> from one DC in the domain and it becomes unresponsive, in AD we can
> use the cookie received from one DC to poll another in the same
> domain, with unpredictable results (it is possible to return entries
> that have already been sent, for example, or even do a full sync).
> Does Samba behave the same way?

I think you'd have to explain much more in detail what the procedure
you've enacted is. I'm not sure about how similar this code is to
standard DRS (RPC) in Samba, or how much your client behaves in a
similar manner.

>
> Also, how does Samba operate when a single-valued attribute has been
> deleted from an entry? AD seems to return the same entry without any
> noticeable changes, which makes it impossible to detect which
> attribute has been removed. I looked at dirsync.py but didn't see a
> test for that scenario, perhaps it is somewhere else?

Your guess is as good as mine on this.

Cheers,

Garming


>
> Best Regards,
>
>
> Nadezhda Ivanova
>
> Software Engineer
> Symas Corporation http://www.symas.com
>