On Tue, 2006-08-22 at 18:49 -0700, Howard Chu wrote: > > Date: Tue, 22 Aug 2006 17:54:05 -0700 From: Pete Rowley > > <prowley@xxxxxxxxxx> Andrew Bartlett wrote: On Tue, 2006-08-22 at > > 15:35 -0700, Pete Rowley wrote: > >>> >>Why not deal with the specific problems that arise when /adding/ the AD > >>> >>schema? I'm guessing that would be a shorter list? > >> > > >> >Because the AD schema is a whole schema, not just some extra > >> >attributes/objectClasses, I need to be able to replace 'person', and > >> >many other classes that Microsoft has modified. > >> > > >> >Once I start replacing classes, I need to know the list of 'if I replace > >> >this, bad things happen'. > > The problem is the list of broken things is open ended. Perhaps we > > should drill down on a specific example (like the "person" objectclass > > and associated attributes) and look at what is different. At least that > > will make sure we are all talking about the same thing and the folks on > > the list might have more targetted suggestions. > > > > Though, I thought the plan was to make the DS look like AD through > > Sambas lens? Are we just talking about an interim development situation > > until you add the "lens"? If so, I say break what you like. Otherwise I > > would have big concerns about integration with existing DS deployments. > Ultimately, if you need to make a clone of AD in order to satisfy > Windows clients, you are going to have to break the existing LDAP > standards the same way Microsoft did. You pretty much need bug-for-bug > compatibility, otherwise some random MS app will come along later and > break. I suppose the fact that I've been doing this for years in every other protocol is why I don't find the notion quite so shocking :-) > This means doing such ugly things as requiring "cn" to be single- > valued, etc. etc. Consider that Microsoft redefines the "top" > objectclass to contain a plethora of attributes; it all goes downhill > from there. I'm not sure redefining top is the worst of them. If I am backing onto a standards-compliant server, and trying to put the worst of the non-standard behaviour in Samba4, then I think I can create an ms_top auxillary class for the attributes I can't map/invent etc. Downhill is things like redefining 'person' without 'sn'... > Andrew, I certainly don't envy you the job ahead of you. > Eventually, when you finish your work, you'll have another server that > is just as broken and non-compliant as Microsoft's. That's the aim ;-) That's particularly the aim for the internal Samba4 server. I'm hoping that with the proxy mode, we might eventually have both worlds: compliant (directly) and non-compliant (via Samba). > I don't see you > having a lot of choice in the matter, you just have to do what you have > to do. The MS schema just doesn't coexist with real LDAP... Indeed. The real measure of how successful I am is how maintainable the mapping layer is, and how bad the server-side hacks are. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com
Attachment:
signature.asc
Description: This is a digitally signed message part
