Pete Rowley wrote: > > > Actually I read that to mean they have a simple ldap db implementation which > can also act as a proxy onto another ldap server _instead_ of storing things > locally. Much like FDS can be made to proxy onto another ldap server. > Ok, my bad. > >>If that's the case, why can't you come up with a schema (that >>can be added into any standard LDAP server) that will satisfy >>all Windows client needs, and put everything into FDS? > > > That would work perfectly if Active Directory acted like a perfect LDAP > server. Unfortunately there are so many quirks and oddities* that I imagine > the Samba team feel they need to support because AD clients will expect them > to. I am not privvy to how closely the Samba team want to mimic AD, but > even for some of the simpler things the question is: is it better to put it > in the LDAP server where certain efficiencies can be obtained but limit your > ability to server hop, or do you try to make any LDAP server look like AD > from the proxy client side and pay the additional performance costs. Or > perhaps there is middle ground. I suspect it is this that Andrew wishes to > explore. > > *a simple example: most LDAP servers will index the objectclass attribute by > default to enable fast searching, AD however does not index objectclass, and > further supplies a proprietary attribute (objectcategory) that performs > exactly the same function as objectclass (in its entry class distinguishing > capacity**), but works slightly differently (i.e. has weird matching rules) > and _is_ indexed by default. If you are targetting AD for your client > application which would you choose to use? Which do you think MS clients > use? Syntax and Matching rules plugins could be written for FDS, but they > don't exist now and they represent a deployment obstacle. > > **the entry class distinguishing capacity of the objectclass attribute is > further diminished in AD because according to it, computers are people too. > Ok, not too familiar with the internals of AD, so I may speak thru my behind here. Since we already have a posixAccount, an ntUser, etc, isn't it possible to add something similar, with all the quirks and oddities for an AD user account, and with all the weird matching rules? And maybe with the help of a few plugins? Or is the Windows client requirements so convoluted that it is near darn impossible to achieve with the current FDS or OpenLDAP? I just downloaded Andrew's thesis yesterday, didn't have time to read yet (will do over the weekend). I'd really love to see Samba4 act as an AD, and be transparent to all clients. *note to self: need to learn more about this issue* rgds csp -- Chen Shaopeng http://www.idsignet.com
Attachment:
signature.asc
Description: OpenPGP digital signature
