Michael Ströder wrote:
Pierangelo Masarati wrote:
Andrew Bartlett wrote:
Samba4's clients are written expecting AD's behaviour, and while I might hope that they would explicitly request the attributes they need, if I can make such mistakes in my test scripts, so can they...
The addition of this feature is (almost) trivial. So the decision should be based on:
- should this "feature" be exposed to all users, or
- should it be exposed only to users using samba4 as proxy?
I think the latter. See, my main scope as a consultant is directory integration/consolidation. So my recommendation is that everything should be avoided which turns an OpenLDAP directory into a special Samba4 LDAP backend which is not usable with other LDAPv3 compliant software anymore.
The fact that we always speak about overlays/modules instead of direct modifications to OpenLDAP should be intended to make sure that OpenLDAP itself does not drift from its route, i.e. becoming as compliant as possible with standard track. In this sense, I believe all modules developed for the sole purpose of downgrading OpenLDAP to behave like AD should clearly carry the indication that they introduce a breach into LDAP specs, and that this breach is intentional for a specific purpose. LDAPv3 client users and developers should be cautioned about relying on those breaches.
How about such an overlay specially treating * based on <who> like defined in ACLs?
I don't think this a viable solution since it appears to require too much effort; moreover, there might not be a practical way to distinguish accesses by samba4 and accesses by other clients.
Or maybe one should recommend in a deployment note to use this overlay with back-ldap?
The deployment note should recommend to avoid using this overlay at all, except for the purpose it was designed. I would recommend to avoid distributing it with OpenLDAP; rather, with samba4 for use with OpenLDAP.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------