I'm trying to pick up the ball again on the OpenLDAP and Fedora DS backends, and hopefully to bring them back up to speed as a working and respectable solution.
LDB will always be the Samba Team's primary backend for Samba4. This is particularly the case as there seems no reasonable prospect that we will do DRS replication against the OpenLDAP or FedoraDS backeed. (This simplifies the requirements dramatically).
However, we do need them to work, as far as practical, for the rest of Samba4's DC functionality. The things I need soon from the backends are:
- a replacement for the Samba4 rdn_name module. For OpenLDAP I have tried out ITS#6055 but it fails, sadly. http://www.openldap.org/its/index.cgi/Development?id=6055;selectid=6055 I don't know of any comparable effort in Fedora DS.
- A RID allocation tool. Fedora DS has the 'distributed numeric assignment' plugin, and I'm sure it will be no challenge for OpenLDAP to match it. Safely adding new users to an OpenLDAP backend really does need a safe way to allocate RID values.
- A way to invoke slpad -Ttest -f <config file> -F <config dir> without issuing errors because of the missing databases
- Transaction support. While most of the transaction-aware tasks in Samba have now been either pushed off as 'too hard on LDAP' or into modules that are now in the LDAP backend, we still do need transactions over LDAP.
- A way to easily detect that we have OpenLDAP or Fedora DS installed on the system, and what it's version is. Once we have that, we could start trying to run at least some of Samba4's tests against such a backend regularly (and stop breaking it so often).
- Some help debugging the existing 'make test' failures!
To address a broader range of use cases, I'm looking forward to the work Endi has promised for a 'ldap backend config file' as input to provision. Hopefully this will reduce the options we have to present to users on the provision command line.
(Apologies in advance for the cross-post to multiple member-only lists, but I just wanted to get everyone on the same page).
Thanks,
Andrew Bartlett
Andrew Bartlett wrote:
I'm trying to pick up the ball again on the OpenLDAP and Fedora DS backends, and hopefully to bring them back up to speed as a working and respectable solution.
- A way to invoke slpad -Ttest -f<config file> -F<config dir> without
issuing errors because of the missing databases
I already answered this quite a while back. Just add "-n 0" to the invocation.
I'm trying to pick up the ball again on the OpenLDAP and Fedora DS backends, and hopefully to bring them back up to speed as a working and respectable solution.
LDB will always be the Samba Team's primary backend for Samba4. This is particularly the case as there seems no reasonable prospect that we will do DRS replication against the OpenLDAP or FedoraDS backeed. (This simplifies the requirements dramatically).
However, we do need them to work, as far as practical, for the rest of Samba4's DC functionality. The things I need soon from the backends are:
- a replacement for the Samba4 rdn_name module. For OpenLDAP I have
tried out ITS#6055 but it fails, sadly. http://www.openldap.org/its/index.cgi/Development?id=6055;selectid=6055
I've just sent you a fix http://www.aero.polimi.it/masarati/Download/pierangelo-masarati-2010-03-30-rdnval.2.c (OpenLDAP's ftp says "disk full").
We also need to discuss a rationalization of Samba 4 support, as I wonder whether piling up overlays that are specifically meant for one setup is the good choice, or we'd better integrate them in a (few) single module(s).
p.
I don't know of any comparable effort in Fedora DS.
- A RID allocation tool. Fedora DS has the 'distributed numeric
assignment' plugin, and I'm sure it will be no challenge for OpenLDAP to match it. Safely adding new users to an OpenLDAP backend really does need a safe way to allocate RID values.
- A way to invoke slpad -Ttest -f <config file> -F <config dir> without
issuing errors because of the missing databases
- Transaction support. While most of the transaction-aware tasks in
Samba have now been either pushed off as 'too hard on LDAP' or into modules that are now in the LDAP backend, we still do need transactions over LDAP.
- A way to easily detect that we have OpenLDAP or Fedora DS installed
on the system, and what it's version is. Once we have that, we could start trying to run at least some of Samba4's tests against such a backend regularly (and stop breaking it so often).
- Some help debugging the existing 'make test' failures!
To address a broader range of use cases, I'm looking forward to the work Endi has promised for a 'ldap backend config file' as input to provision. Hopefully this will reduce the options we have to present to users on the provision command line.
(Apologies in advance for the cross-post to multiple member-only lists, but I just wanted to get everyone on the same page).
Thanks,
Andrew Bartlett
Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc.
openldap-technical@openldap.org