[Fedora-directory-devel] Fedora Directory and Samba4

Pete Rowley pete at openrowley.com
Thu Nov 10 01:07:16 UTC 2005 

 

> -----Original Message-----
> From: fedora-directory-devel-bounces at redhat.com 
> [mailto:fedora-directory-devel-bounces at redhat.com] On Behalf 
> Of Chen Shaopeng
> Sent: Wednesday, November 09, 2005 4:22 PM
> To: Fedora Directory server developer discussion.
> Subject: Re: [Fedora-directory-devel] Fedora Directory and Samba4
> 
> So, if I understand this well, for a fully integrated 
> solution, you are going to have 2 LDAP servers, one is the 
> internal built-in LDAP server for storing Windows client 
> stuff, and a second LDAP server (FDS in this case), for everything.

Actually I read that to mean they have a simple ldap db implementation which
can also act as a proxy onto another ldap server _instead_ of storing things
locally.  Much like FDS can be made to proxy onto another ldap server.

> 
> If that's the case, why can't you come up with a schema (that 
> can be added into any standard LDAP server) that will satisfy 
> all Windows client needs, and put everything into FDS?

That would work perfectly if Active Directory acted like a perfect LDAP
server.  Unfortunately there are so many quirks and oddities* that I imagine
the Samba team feel they need to support because AD clients will expect them
to.  I am not privvy to how closely the Samba team want to mimic AD, but
even for some of the simpler things the question is: is it better to put it
in the LDAP server where certain efficiencies can be obtained but limit your
ability to server hop, or do you try to make any LDAP server look like AD
from the proxy client side and pay the additional performance costs.  Or
perhaps there is middle ground.  I suspect it is this that Andrew wishes to
explore.

*a simple example: most LDAP servers will index the objectclass attribute by
default to enable fast searching, AD however does not index objectclass, and
further supplies a proprietary attribute (objectcategory) that performs
exactly the same function as objectclass (in its entry class distinguishing
capacity**), but works slightly differently (i.e. has weird matching rules)
and _is_ indexed by default.  If you are targetting AD for your client
application which would you choose to use?  Which do you think MS clients
use?  Syntax and Matching rules plugins could be written for FDS, but they
don't exist now and they represent a deployment obstacle.

**the entry class distinguishing capacity of the objectclass attribute is
further diminished in AD because according to it, computers are people too.

More information about the Fedora-directory-devel mailing list