On Tue, 2007-10-02 at 11:32 -0700, Andrew Bartlett wrote:
(please forgive the cross-posting to subscriber-only lists)
Howard Chu helpfully wrote up this summary of the meeting we held at the CIFS Workshop on how Samba4 should work with an LDAP backend.
The background is that Samba4 increasingly needs some things that an LDAP server could provide for us. In the short term, we need to add subtree renames to ldb_tdb, but OpenLDAP's hdb already provides this for us.
Just as an update, I've implemented this, and linked attributes (another thing we discussed at the CIFS workshop) in Samba4, for ldb_tdb. This does however bring up the issue of linked attributes in LDAP backends.
Linked attributes include member/memberOf, master/masteredBy and many others. They are defined in the AD schema, and as far as I know, are strictly updated as a pair (they are not flattened memberOf listings, for example).
Linked attributes and subtree renames are closely linked - if you don't support subtree renames, then handling linked attributes on the Samba side is easy - the LDAP server remains 'dumb' about it. As I understand it (corrections welcome), Fedora DS is not likely to handle subtree renames soon, so this approach will work for Samba4 on Fedora DS.
However, for Samba4 on OpenLDAP, we will want to have the LDAP backend handle subtree renames. Has there been any work to handle memberOf in OpenLDAP? How does this interact with subtree renames?
Any other thoughts?
Andrew Bartlett