[Fedora-directory-devel] Re: Samba4 onto Fedora DS

Howard Chu hyc at symas.com
Wed Aug 23 01:49:28 UTC 2006 

> Date: Tue, 22 Aug 2006 17:54:05 -0700 From: Pete Rowley 
> <prowley at redhat.com> Andrew Bartlett wrote: On Tue, 2006-08-22 at 
> 15:35 -0700, Pete Rowley wrote:
>>> >>Why not deal with the specific problems that arise when /adding/ the AD 
>>> >>schema? I'm guessing that would be a shorter list?
>> >
>> >Because the AD schema is a whole schema, not just some extra
>> >attributes/objectClasses, I need to be able to replace 'person', and
>> >many other classes that Microsoft has modified.  
>> >
>> >Once I start replacing classes, I need to know the list of 'if I replace
>> >this, bad things happen'.
> The problem is the list of broken things is open ended. Perhaps we 
> should drill down on a specific example (like the "person" objectclass 
> and associated attributes) and look at what is different. At least that 
> will make sure we are all talking about the same thing and the folks on 
> the list might have more targetted suggestions.
>
> Though, I thought the plan was to make the DS look like AD through 
> Sambas lens?  Are we just talking about an interim development situation 
> until you add the "lens"? If so, I say break what you like. Otherwise I 
> would have big concerns about integration with existing DS deployments.
Ultimately, if you need to make a clone of AD in order to satisfy 
Windows clients, you are going to have to break the existing LDAP 
standards the same way Microsoft did. You pretty much need bug-for-bug 
compatibility, otherwise some random MS app will come along later and 
break. This means doing such ugly things as requiring "cn" to be single- 
valued, etc. etc. Consider that Microsoft redefines the "top" 
objectclass to contain a plethora of attributes; it all goes downhill 
from there. Andrew, I certainly don't envy you the job ahead of you. 
Eventually, when you finish your work, you'll have another server that 
is just as broken and non-compliant as Microsoft's. I don't see you 
having a lot of choice in the matter, you just have to do what you have 
to do. The MS schema just doesn't coexist with real LDAP...

-- 
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/

More information about the 389-devel mailing list