[Fedora-directory-devel] Re: Samba4 onto Fedora DS
Andrew Bartlett
abartlet at samba.org
Wed Aug 23 02:37:27 UTC 2006
On Tue, 2006-08-22 at 18:49 -0700, Howard Chu wrote:
> > Date: Tue, 22 Aug 2006 17:54:05 -0700 From: Pete Rowley
> > <prowley at redhat.com> Andrew Bartlett wrote: On Tue, 2006-08-22 at
> > 15:35 -0700, Pete Rowley wrote:
> >>> >>Why not deal with the specific problems that arise when /adding/ the AD
> >>> >>schema? I'm guessing that would be a shorter list?
> >> >
> >> >Because the AD schema is a whole schema, not just some extra
> >> >attributes/objectClasses, I need to be able to replace 'person', and
> >> >many other classes that Microsoft has modified.
> >> >
> >> >Once I start replacing classes, I need to know the list of 'if I replace
> >> >this, bad things happen'.
> > The problem is the list of broken things is open ended. Perhaps we
> > should drill down on a specific example (like the "person" objectclass
> > and associated attributes) and look at what is different. At least that
> > will make sure we are all talking about the same thing and the folks on
> > the list might have more targetted suggestions.
> >
> > Though, I thought the plan was to make the DS look like AD through
> > Sambas lens? Are we just talking about an interim development situation
> > until you add the "lens"? If so, I say break what you like. Otherwise I
> > would have big concerns about integration with existing DS deployments.
> Ultimately, if you need to make a clone of AD in order to satisfy
> Windows clients, you are going to have to break the existing LDAP
> standards the same way Microsoft did. You pretty much need bug-for-bug
> compatibility, otherwise some random MS app will come along later and
> break.
I suppose the fact that I've been doing this for years in every other
protocol is why I don't find the notion quite so shocking :-)
> This means doing such ugly things as requiring "cn" to be single-
> valued, etc. etc. Consider that Microsoft redefines the "top"
> objectclass to contain a plethora of attributes; it all goes downhill
> from there.
I'm not sure redefining top is the worst of them. If I am backing onto
a standards-compliant server, and trying to put the worst of the
non-standard behaviour in Samba4, then I think I can create an ms_top
auxillary class for the attributes I can't map/invent etc.
Downhill is things like redefining 'person' without 'sn'...
> Andrew, I certainly don't envy you the job ahead of you.
> Eventually, when you finish your work, you'll have another server that
> is just as broken and non-compliant as Microsoft's.
That's the aim ;-)
That's particularly the aim for the internal Samba4 server. I'm hoping
that with the proxy mode, we might eventually have both worlds:
compliant (directly) and non-compliant (via Samba).
> I don't see you
> having a lot of choice in the matter, you just have to do what you have
> to do. The MS schema just doesn't coexist with real LDAP...
Indeed. The real measure of how successful I am is how maintainable the
mapping layer is, and how bad the server-side hacks are.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/389-devel/attachments/20060823/dc64a5c0/attachment.bin
More information about the 389-devel
mailing list