I've had a very useful discussion with Howard on IRC this morning, and
wanted to summarise it for the lists. It follows on from
We looked at a few things that were getting in the way of the
consistency I need for Samba4.
My primary gripe at the moment is the need to have invalid links
detected at the time of creation, and to ensure that if this happens,
nothing changes in the database. This is the main test that currently
fails against the OpenLDAP backend. (In short, everything else seems to
The trivial solution to this is a pre-check of the consequences of the
operation before attempting it. This will be racy (delete concurrent
with adding a DN as a member), but can be backed by a transaction when
that functionality is exposed.
The problem with doing a pre-check is database loads and replication.
In the replicated case, we can simply not check consistency except on
the original server, as we will catch up to consistency pretty soon
(catastrophic replication failures aside).
For database loads (from a dump), we can simply permit inconsistent
links by means of a configuration option, and hope that the admin knows
what they are doing, and that the DB will be consistent at the
If we get this much done, then I think Samba4 and OpenLDAP can continue
the forward march. I look forward to having Samba4 'powered by
OpenLDAP', because without it (or a Fedora DS backend, with whom I'm
having a similar discussion) Samba4 does not have a replicated
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.