On Tue, 2007-10-02 at 13:02 -0700, Howard Chu wrote:
Andrew Bartlett wrote:
(please forgive the cross-posting to subscriber-only lists)
Howard Chu helpfully wrote up this summary of the meeting we held at the CIFS Workshop on how Samba4 should work with an LDAP backend.
The background is that Samba4 increasingly needs some things that an LDAP server could provide for us. In the short term, we need to add subtree renames to ldb_tdb, but OpenLDAP's hdb already provides this for us.
Likewise, we have a desperate need for replication (because any site in need of Samba4's features will want multiple DCs) - and Fedora DS's replication seems like a very good, solid answer. (Sadly it doesn't give us subtree renames...).
Multimaster replication is also in OpenLDAP 2.4 (which is currently still in beta - we're still shaking it down, more testers would probably be helpful at some point).
I'll have to keep an eye on that.
Another feature we don't yet do schema validation in Samba4, beyond checking that the objectClass list is valid. We need to extend that, but perhaps the LDAP server could do that validation for us?
Right, since LDAP doesn't really depend on schema-aware clients this is the LDAP server's responsibility. (As opposed to X.500, where every agent in the system must be fully schema aware.)
Yes, but we may not wish to have the backend server be as fully aware as Samba about the full monster that is the AD schema, or we may wish to pre-empt the backend server's response. For example, if Samba implements a 'no-user-modification' attribute in a module, we will have to remove that tag from the OpenLDAP/FedoraDS schema, and prevent that modification ourselves.
Andrew Bartlett