[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: memberOf hidden?

Michael StrÃder wrote:
> Pierangelo Masarati wrote:
>> Andrew Bartlett wrote:
>>> Samba4's clients are written expecting AD's behaviour, and while I might
>>> hope that they would explicitly request the attributes they need, if I
>>> can make such mistakes in my test scripts, so can they...
>> The addition of this feature is (almost) trivial.  So the decision
>> should be based on:
>>   - should this "feature" be exposed to all users, or
>>   - should it be exposed only to users using samba4 as proxy?
> I think the latter. See, my main scope as a consultant is directory
> integration/consolidation. So my recommendation is that everything
> should be avoided which turns an OpenLDAP directory into a special
> Samba4 LDAP backend which is not usable with other LDAPv3 compliant
> software anymore.

The fact that we always speak about overlays/modules instead of direct
modifications to OpenLDAP should be intended to make sure that OpenLDAP
itself does not drift from its route, i.e. becoming as compliant as
possible with standard track.  In this sense, I believe all modules
developed for the sole purpose of downgrading OpenLDAP to behave like AD
should clearly carry the indication that they introduce a breach into
LDAP specs, and that this breach is intentional for a specific purpose.
 LDAPv3 client users and developers should be cautioned about relying on
those breaches.

> How about such an overlay specially treating * based on <who> like
> defined in ACLs?

I don't think this a viable solution since it appears to require too
much effort; moreover, there might not be a practical way to distinguish
accesses by samba4 and accesses by other clients.

> Or maybe one should recommend in a deployment note to
> use this overlay with back-ldap?

The deployment note should recommend to avoid using this overlay at all,
except for the purpose it was designed.  I would recommend to avoid
distributing it with OpenLDAP; rather, with samba4 for use with OpenLDAP.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it