[Fedora-directory-devel] Re: Samba4 onto Fedora DS

Andrew Bartlett abartlet at samba.org
Wed Aug 23 02:37:27 UTC 2006 

On Tue, 2006-08-22 at 18:49 -0700, Howard Chu wrote:
> > Date: Tue, 22 Aug 2006 17:54:05 -0700 From: Pete Rowley 
> > <prowley at redhat.com> Andrew Bartlett wrote: On Tue, 2006-08-22 at 
> > 15:35 -0700, Pete Rowley wrote:
> >>> >>Why not deal with the specific problems that arise when /adding/ the AD 
> >>> >>schema? I'm guessing that would be a shorter list?
> >> >
> >> >Because the AD schema is a whole schema, not just some extra
> >> >attributes/objectClasses, I need to be able to replace 'person', and
> >> >many other classes that Microsoft has modified.  
> >> >
> >> >Once I start replacing classes, I need to know the list of 'if I replace
> >> >this, bad things happen'.
> > The problem is the list of broken things is open ended. Perhaps we 
> > should drill down on a specific example (like the "person" objectclass 
> > and associated attributes) and look at what is different. At least that 
> > will make sure we are all talking about the same thing and the folks on 
> > the list might have more targetted suggestions.
> >
> > Though, I thought the plan was to make the DS look like AD through 
> > Sambas lens?  Are we just talking about an interim development situation 
> > until you add the "lens"? If so, I say break what you like. Otherwise I 
> > would have big concerns about integration with existing DS deployments.
> Ultimately, if you need to make a clone of AD in order to satisfy 
> Windows clients, you are going to have to break the existing LDAP 
> standards the same way Microsoft did. You pretty much need bug-for-bug 
> compatibility, otherwise some random MS app will come along later and 
> break. 

I suppose the fact that I've been doing this for years in every other
protocol is why I don't find the notion quite so shocking :-)

> This means doing such ugly things as requiring "cn" to be single- 
> valued, etc. etc. Consider that Microsoft redefines the "top" 
> objectclass to contain a plethora of attributes; it all goes downhill 
> from there. 

I'm not sure redefining top is the worst of them.  If I am backing onto
a standards-compliant server, and trying to put the worst of the
non-standard behaviour in Samba4, then I think I can create an ms_top
auxillary class for the attributes I can't map/invent etc.

Downhill is things like redefining 'person' without 'sn'...

> Andrew, I certainly don't envy you the job ahead of you. 
> Eventually, when you finish your work, you'll have another server that 
> is just as broken and non-compliant as Microsoft's. 

That's the aim ;-)

That's particularly the aim for the internal Samba4 server.  I'm hoping
that with the proxy mode, we might eventually have both worlds:
compliant (directly) and non-compliant (via Samba). 

> I don't see you 
> having a lot of choice in the matter, you just have to do what you have 
> to do. The MS schema just doesn't coexist with real LDAP...

Indeed.  The real measure of how successful I am is how maintainable the
mapping layer is, and how bad the server-side hacks are. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/389-devel/attachments/20060823/dc64a5c0/attachment.bin

More information about the 389-devel mailing list