On Tue, 2007-10-02 at 13:02 -0700, Howard Chu wrote:
Andrew Bartlett wrote:
> (please forgive the cross-posting to subscriber-only lists)
> Howard Chu helpfully wrote up this summary of the meeting we held at the
> CIFS Workshop on how Samba4 should work with an LDAP backend.
> The background is that Samba4 increasingly needs some things that an
> LDAP server could provide for us. In the short term, we need to add
> subtree renames to ldb_tdb, but OpenLDAP's hdb already provides this for
> Likewise, we have a desperate need for replication (because any site in
> need of Samba4's features will want multiple DCs) - and Fedora DS's
> replication seems like a very good, solid answer. (Sadly it doesn't
> give us subtree renames...).
Multimaster replication is also in OpenLDAP 2.4 (which is currently still in
beta - we're still shaking it down, more testers would probably be helpful at
I'll have to keep an eye on that.
> Another feature we don't yet do schema validation in Samba4,
> checking that the objectClass list is valid. We need to extend that,
> but perhaps the LDAP server could do that validation for us?
Right, since LDAP doesn't really depend on schema-aware clients this is the
LDAP server's responsibility. (As opposed to X.500, where every agent in the
system must be fully schema aware.)
Yes, but we may not wish to have the backend server be as fully aware as
Samba about the full monster that is the AD schema, or we may wish to
pre-empt the backend server's response. For example, if Samba
implements a 'no-user-modification' attribute in a module, we will have
to remove that tag from the OpenLDAP/FedoraDS schema, and prevent that
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com