[Date Prev][Date Next] [Chronological] [Thread] [Top]

How to implement Extended DNs for Samba4?

At the CIFS plugfest it became clear that Samba3 requires that we
complete the implementation of 'extended DN' replies in the Samba4 LDAP

This means that a DN in things like memberOf are in the form:


(or so, I've just made this one up)

If the magic 'extended DN' control is specificed, then we have to return
this form to the client, and it would work really well to store it in
that form on the backend, and if they do not specify the control, only
then strip it back to the 'normal' DN. 

The problem is now particularly how to implement these locally - inside
Samba4 it should be pretty easy to have the right triggers in the
existing memberOf module, but how to implement this in OpenLDAP and
(eventually) FedoraDS.

Currently OpenLDAP uses the refint and memberOf modules, knowing that
this attribute is simply a DN, nothing more.  These modules (and
probably the input validation) will no doubt be unable to cope with the
'extended' DN form. 

Is it reasonable to ask that OpenLDAP carry a module so Samba-specific
in it's application (reading the objectSid and entryUUID and formatting
the link that way)?  Should we try to just fill this in with another
search as part of the search entry callback? (at great performance

Any thoughts?


Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

Attachment: signature.asc
Description: This is a digitally signed message part