[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Re-engaging the Samba4 LDAP backend

> I'm trying to pick up the ball again on the OpenLDAP and Fedora DS
> backends, and hopefully to bring them back up to speed as a working and
> respectable solution.
> LDB will always be the Samba Team's primary backend for Samba4.  This is
> particularly the case as there seems no reasonable prospect that we will
> do DRS replication against the OpenLDAP or FedoraDS backeed.  (This
> simplifies the requirements dramatically).
> However, we do need them to work, as far as practical, for the rest of
> Samba4's DC functionality.  The things I need soon from the backends
> are:
>  - a replacement for the Samba4 rdn_name module.  For OpenLDAP I have
> tried out  ITS#6055 but it fails, sadly.
> http://www.openldap.org/its/index.cgi/Development?id=6055;selectid=6055

I've just sent you a fix
(OpenLDAP's ftp says "disk full").

We also need to discuss a rationalization of Samba 4 support, as I wonder
whether piling up overlays that are specifically meant for one setup is
the good choice, or we'd better integrate them in a (few) single


> I don't know of any comparable effort in Fedora DS.
>  - A RID allocation tool.  Fedora DS has the 'distributed numeric
> assignment' plugin, and I'm sure it will be no challenge for OpenLDAP to
> match it.  Safely adding new users to an OpenLDAP backend really does
> need a safe way to allocate RID values.
>  - A way to invoke slpad -Ttest -f <config file> -F <config dir> without
> issuing errors because of the missing databases
>  - Transaction support.  While most of the transaction-aware tasks in
> Samba have now been either pushed off as 'too hard on LDAP' or into
> modules that are now in the LDAP backend, we still do need transactions
> over LDAP.
>  - A way to easily detect that we have OpenLDAP or Fedora DS installed
> on the system, and what it's version is.  Once we have that, we could
> start trying to run at least some of Samba4's tests against such a
> backend regularly (and stop breaking it so often).
>  - Some help debugging the existing 'make test' failures!
> To address a broader range of use cases, I'm looking forward to the work
> Endi has promised for a 'ldap backend config file' as input to
> provision.  Hopefully this will reduce the options we have to present to
> users on the provision command line.
> (Apologies in advance for the cross-post to multiple member-only lists,
> but I just wanted to get everyone on the same page).
> Thanks,
> Andrew Bartlett
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
> Samba Developer, Cisco Inc.