samba - Mar 2022 - Protocol differences between RFC and Active Directory?

On Fri, 18 Mar 2022 10:26:36 +1300 Andrew Bartlett via samba <samba at
lists.samba.org> wrote:
> On Thu, 2022-03-17 at 21:54 +0100, HolyTaint via samba wrote:
> > What are the protocol differences between RFC LDAP and Active
> > Directory LDAP implementation that make hard if not impossible having
> > OpenLDAP taking samba role as AD LDAP interface?
> > Ex, single common name, then?
> 
> There are a lot.  The thing that trips up most is authenticated by
> default, but the schema is just different, the typical layouts are
> different.
> 
> If there are particular niggles that really annoy, we could take
> patches provided they don't break AD behaviour, eg accepting the
> OpenLDAP password change control.
> 
> Andrew Bartlett
I'm interested especially about those explicitly violating the standard, and
I'd be more than happy about references and documentation on this stuff.
Sadly I didn't find any & in my personal experience samba wiki is a mess
to search in

On Thu, 2022-03-17 at 23:09 +0100, HolyTaint via samba
wrote:
> On Fri, 18 Mar 2022 10:26:36 +1300 Andrew Bartlett via samba <
> samba at lists.samba.org> wrote:
> > On Thu, 2022-03-17 at 21:54 +0100, HolyTaint via samba wrote:
> > > What are the protocol differences between RFC LDAP and Active
> > > Directory LDAP implementation that make hard if not impossible
> > > having
> > > OpenLDAP taking samba role as AD LDAP interface?
> > > Ex, single common name, then?
> > 
> > There are a lot.  The thing that trips up most is authenticated by
> > default, but the schema is just different, the typical layouts are
> > different.
> > 
> > If there are particular niggles that really annoy, we could take
> > patches provided they don't break AD behaviour, eg accepting the
> > OpenLDAP password change control.
> > 
> > Andrew Bartlett
> 
> I'm interested especially about those explicitly violating the
> standard, and I'd be more than happy about references and
> documentation on this stuff. Sadly I didn't find any & in my
personal
> experience samba wiki is a mess to search in
I don't know of a central reference, we just match AD as closely as we
can and don't routinely compare with and particular RFC or what folks
think is RFC behaviour (eg typical OpenLDAP behaviour).

Andrew,

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

On Thu, 2022-03-17 at 23:09 +0100, HolyTaint via samba
wrote:
> On Fri, 18 Mar 2022 10:26:36 +1300 Andrew Bartlett via samba <
> samba at lists.samba.org> wrote:
> > On Thu, 2022-03-17 at 21:54 +0100, HolyTaint via samba wrote:
> > > What are the protocol differences between RFC LDAP and Active
> > > Directory LDAP implementation that make hard if not impossible
> > > having
> > > OpenLDAP taking samba role as AD LDAP interface?
> > > Ex, single common name, then?
> > 
> > There are a lot.  The thing that trips up most is authenticated by
> > default, but the schema is just different, the typical layouts are
> > different.
> > 
> > If there are particular niggles that really annoy, we could take
> > patches provided they don't break AD behaviour, eg accepting the
> > OpenLDAP password change control.
> > 
> > Andrew Bartlett
> 
> I'm interested especially about those explicitly violating the
> standard, and I'd be more than happy about references and
> documentation on this stuff. Sadly I didn't find any & in my
personal
> experience samba wiki is a mess to search in
It all depends on what standards you mean, Samba when running as a DC
tries to comply with Microsoft ldap standards, for obvious reasons.
Much work has been attempted to use openldap with Samba AD and it never
came to fruition, the differences appear to be too great. If anyone can
get Samba AD to work with openldap, then I am sure that patches would
be very welcome, but I will not hold my breath waiting.

Having said all that, you can use the ldap built into Samba AD with
other programs, possibly by extending the schema.

Rowland