I've had a very useful discussion with Howard on IRC this morning, and wanted to summarise it for the lists. It follows on from
http://www.openldap.org/its/index.cgi?findid=5534
We looked at a few things that were getting in the way of the consistency I need for Samba4.
My primary gripe at the moment is the need to have invalid links detected at the time of creation, and to ensure that if this happens, nothing changes in the database. This is the main test that currently fails against the OpenLDAP backend. (In short, everything else seems to work!).
The trivial solution to this is a pre-check of the consequences of the operation before attempting it. This will be racy (delete concurrent with adding a DN as a member), but can be backed by a transaction when that functionality is exposed.
The problem with doing a pre-check is database loads and replication. In the replicated case, we can simply not check consistency except on the original server, as we will catch up to consistency pretty soon (catastrophic replication failures aside).
For database loads (from a dump), we can simply permit inconsistent links by means of a configuration option, and hope that the admin knows what they are doing, and that the DB will be consistent at the conclusion.
If we get this much done, then I think Samba4 and OpenLDAP can continue the forward march. I look forward to having Samba4 'powered by OpenLDAP', because without it (or a Fedora DS backend, with whom I'm having a similar discussion) Samba4 does not have a replicated deployment modal.
Thanks,
Andrew Bartlett