[Fedora-directory-devel] Fedora Directory and Samba4

Chen Shaopeng chen_shaopeng at idsignet.com
Thu Nov 10 01:37:46 UTC 2005 

Pete Rowley wrote:
>  
> 
> Actually I read that to mean they have a simple ldap db implementation which
> can also act as a proxy onto another ldap server _instead_ of storing things
> locally.  Much like FDS can be made to proxy onto another ldap server.
>
Ok, my bad.

> 
>>If that's the case, why can't you come up with a schema (that 
>>can be added into any standard LDAP server) that will satisfy 
>>all Windows client needs, and put everything into FDS?
> 
> 
> That would work perfectly if Active Directory acted like a perfect LDAP
> server.  Unfortunately there are so many quirks and oddities* that I imagine
> the Samba team feel they need to support because AD clients will expect them
> to.  I am not privvy to how closely the Samba team want to mimic AD, but
> even for some of the simpler things the question is: is it better to put it
> in the LDAP server where certain efficiencies can be obtained but limit your
> ability to server hop, or do you try to make any LDAP server look like AD
> from the proxy client side and pay the additional performance costs.  Or
> perhaps there is middle ground.  I suspect it is this that Andrew wishes to
> explore.
> 
> *a simple example: most LDAP servers will index the objectclass attribute by
> default to enable fast searching, AD however does not index objectclass, and
> further supplies a proprietary attribute (objectcategory) that performs
> exactly the same function as objectclass (in its entry class distinguishing
> capacity**), but works slightly differently (i.e. has weird matching rules)
> and _is_ indexed by default.  If you are targetting AD for your client
> application which would you choose to use?  Which do you think MS clients
> use?  Syntax and Matching rules plugins could be written for FDS, but they
> don't exist now and they represent a deployment obstacle.
> 
> **the entry class distinguishing capacity of the objectclass attribute is
> further diminished in AD because according to it, computers are people too.
> 
Ok, not too familiar with the internals of AD, so I may speak thru my
behind here.

Since we already have a posixAccount, an ntUser, etc, isn't it possible
to add something similar, with all the quirks and oddities for an AD
user account, and with all the weird matching rules? And maybe with
the help of a few plugins? Or is the Windows client requirements so
convoluted that it is near darn impossible to achieve with the
current FDS or OpenLDAP?

I just downloaded Andrew's thesis yesterday, didn't have time to
read yet (will do over the weekend).

I'd really love to see Samba4 act as an AD, and be transparent to
all clients.

*note to self: need to learn more about this issue*

rgds

csp
-- 
Chen Shaopeng
http://www.idsignet.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-directory-devel/attachments/20051110/be602dd7/attachment.sig>

More information about the Fedora-directory-devel mailing list