[Fedora-directory-devel] Re: Samba4 onto Fedora DS
Howard Chu
hyc at symas.com
Wed Aug 23 01:49:28 UTC 2006
> Date: Tue, 22 Aug 2006 17:54:05 -0700 From: Pete Rowley
> <prowley at redhat.com> Andrew Bartlett wrote: On Tue, 2006-08-22 at
> 15:35 -0700, Pete Rowley wrote:
>>> >>Why not deal with the specific problems that arise when /adding/ the AD
>>> >>schema? I'm guessing that would be a shorter list?
>> >
>> >Because the AD schema is a whole schema, not just some extra
>> >attributes/objectClasses, I need to be able to replace 'person', and
>> >many other classes that Microsoft has modified.
>> >
>> >Once I start replacing classes, I need to know the list of 'if I replace
>> >this, bad things happen'.
> The problem is the list of broken things is open ended. Perhaps we
> should drill down on a specific example (like the "person" objectclass
> and associated attributes) and look at what is different. At least that
> will make sure we are all talking about the same thing and the folks on
> the list might have more targetted suggestions.
>
> Though, I thought the plan was to make the DS look like AD through
> Sambas lens? Are we just talking about an interim development situation
> until you add the "lens"? If so, I say break what you like. Otherwise I
> would have big concerns about integration with existing DS deployments.
Ultimately, if you need to make a clone of AD in order to satisfy
Windows clients, you are going to have to break the existing LDAP
standards the same way Microsoft did. You pretty much need bug-for-bug
compatibility, otherwise some random MS app will come along later and
break. This means doing such ugly things as requiring "cn" to be single-
valued, etc. etc. Consider that Microsoft redefines the "top"
objectclass to contain a plethora of attributes; it all goes downhill
from there. Andrew, I certainly don't envy you the job ahead of you.
Eventually, when you finish your work, you'll have another server that
is just as broken and non-compliant as Microsoft's. I don't see you
having a lot of choice in the matter, you just have to do what you have
to do. The MS schema just doesn't coexist with real LDAP...
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
More information about the 389-devel
mailing list