Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Sat, 2005-01-29 at 12:00 +1000, Peter Tiggerdine wrote:
> Jim,
> On Fri, 2005-01-28 at 10:52 -0800, Jim Hogan wrote:
> > First, my deepest gratitude to the Samba Team. I'll try to be brief.=20
> > Don't want to rob much of anyone's time and am almost embarassed to pos=

> > my questions here.
> >=20
> > Situation: We run 3.10 today in simple domain model with tdb auth, but=20
> > have need of LDAP for many reasons. I see LDAP noted as "non-release=20
> > delaying" feature for Samba 4. =20

The document that you read this on is quite old, and really out of date.

The Samba4 release will ship with it's own LDAP server, as this is
required for WinXP joins (as it is convinced we are implementing Active

> We do not have any urgent need of AD=20
> > support in Samba 4, though some "subfeatures" could be useful (group=20
> > policies, say?) if they wind up as part of V4 AD feature set.
> >=20
> > So, I am trying to evaluate "Build OpenLDAP directory today and=20
> > integrate with V3 or perhaps wait...or take some hybrid approach?" I=

> > looked at latest latest LDAP source from subversion and see what looks=20
> > like scratch-built LDAP server. So my questions:

> I'm also at this cross-road.

If you have a production site now, then I strongly suggest you implement
the best solution you can on Samba3 and OpenLDAP. There are a number of
'neat' things can can be done on this setup, and you will remain

> > - Will Samba 4 still allow substitution of existing OpenLDAP/other LDAP=

> > service for ldb support?

ldb is an interface, which can sit on top of a remote LDAP server, or a
local tdb. However, getting a remote LDAP server to support what we do
will be a challenge. =20

> > - Can anyone point me to V4 default LDAP schema in source? I probably=20
> > need a dope slap but couldn't find it.

There is no schema for ldb at this stage, aside from reading the source
to see which attributes are read/written. In this way, ldb was
initially designed to be schema-less. Schema support is being added in
the near future.

> > - To ease later migration to Samba 4, could v4 schema be applied to=20
> > build a v3 (OpenLDAP) schema for ldapsam support?

> I've asked metze about this and I was told that if someone wants to
> write the tbl backend for samba4, go for it. But officially the only
> backend that is going to be developed for now is tbl with samba's own
> ldap.

The hope is that by constructing another layer of abstraction above ldb,
queries could be translated from Samba4's schema to Samba3's schema, for
a subset of operations. This could then be directed against an LDAP
server that holds Samba3 data. =20

Nobody has started on such a module, but I do hope it would allow some
sort of migration path. I don't know how difficult it will be to write,
nor what limitiations it will place on the Samba4 server

> There is a paper floating around that Andrew Bartlet wrote on migration
> from samba3 to samba4. This was merely a discussion paper and gave no
> realy solution but "food for thought"

Yes, I touched on this a little. We haven't really looked at migration
of user data at this point, but I expect that like migration between the
Samba 2.2 and Samba3 LDAP schemas a perl script will be involved.

> I would hope that somewhere along the was that the openldap team could
> come up wuth an acceptable working backend ( not that I don't like
> samba's ldap implementation) for backwards compatibility with my single
> sign-on server.

The Samba and OpenLDAP teams have very different goals. We also have
very different codebases - we tried to have OpenLDAP read ldb as a
backend, but the code integration task simply proved too difficult.

> > Is the Samba 4 LDAP server planned to be generally useful (support=20
> > Linux sign-on, http/Apache/PHP auth in our case, say) or are there any=20
> > specific expected limitations?

I don't see any reason why any of these will be an issue, when Samba4 is
released. I certainly expect that a 'simple bind' as well as various
SASL binds will be handled in an appropriate way.

If you have followed any of my activity on Single Sign On, you would see
that I care about this 'just working' very passionately.

> > - Is LDAP really non-release delaying? If ldb is required for Samba 4=20
> > operation, how can that be?

As I say, that document needs a lot of work. A replacement is being

Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net

Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQBB+vSTz4A8Wyi0NrsRAlKOAJ45rbc33oSosX+sm3oNvS PqVM7sOQCeMok0