samba - Mar 2005 - Request to update slapd.conf and OpenLDAP info for Samba-Guide/happy.html

Dear Team,

The OpenLDAP stuff on this page:

http://us4.samba.org/samba/docs/man/Samba-Guide/happy.html

is not the preferred backend, i.e. ldbm, it really, really needs to be bdb.

See:

http://www.openldap.org/faq/index.cgi?_highlightWords=bdb%20ldbm&file=1085

"ldbm uses a neutral storage interface which in principle could wrap dbm,
ndbm, gdbm or sleepycat as underlying storage; however, only Sleepycat is
considered a reliable choice, so bdb offers more interesting features
(ACID). Eventually it will disappear."

And:

http://www.openldap.org/faq/data/cache/756.html

"With back-ldbm, there is no fine-grain database locking. This means write
operations are serialized. And while multiple read operations may be
performed concurrently, they cannot be performed concurrently with any
write operation. Additionally, LDBM databases cannot be accessed by only
one program at a time (generally at the file level). (While one may be
able to bypass the locking mechanism, you will likely corrupt the database
(and/or obtain bogus information).)

With back-bdb, databases are locked on a page level, which means that
multiple threads (and processes) can operate on the databases
concurrently. In OpenLDAP 2.1.4 we lifted the restriction against using
the slap tools while slapd is running on back-bdb. You can perform online
backups using slapcat or BDB's db_dumputility without interrupting your
LDAP service. You still must not use slapadd or slapindex while slapd is
running (due to application-level caching in slapd(8))."


Point to highlight for disaster recovery:

"You can perform online backups using slapcat or BDB's db_dumputility
without interrupting your LDAP service."

Therefore,
can we update it for this and all the configuration that goes with using a
bdb backend?

I feel we are not doing the Samba community justice, if we are telling
them to use lbdm.

Thanks.

-- 
Kind Regards,

Gavin Henry.
Managing Director.

T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 742001
E ghenry@suretecsystems.com

Open Source. Open Solutions(tm).

http://www.suretecsystems.com/

Gavin,

The book "Samba-3 by Example" was written at the time Samba-3.0.2 was
just
released. At that time (February 2004) the version of OpenLDAP that were 
shipping on SuSE Linux Enterprise Server and on Red Hat Enterprise Linux used 
ldbm.

I agree entirely that this needs to be updated, in fact, it is necessary also 
to update all references to the smbldap-tools as well as many other subtle 
factors that have changed in Samba between Samba-3.0.2 and 3.0.12 (the soon 
to be released version).

I will update the entire book at the first opportunity I get. If you wish to 
submit patches I would be most appreciative.

Cheers,
John T.

On Wednesday 02 March 2005 03:24, Gavin Henry wrote:
> Dear Team,
>
> The OpenLDAP stuff on this page:
>
> http://us4.samba.org/samba/docs/man/Samba-Guide/happy.html
>
> is not the preferred backend, i.e. ldbm, it really, really needs to be bdb.
>
> See:
>
>
http://www.openldap.org/faq/index.cgi?_highlightWords=bdb%20ldbm&file=1085
>
> "ldbm uses a neutral storage interface which in principle could wrap
dbm,
> ndbm, gdbm or sleepycat as underlying storage; however, only Sleepycat is
> considered a reliable choice, so bdb offers more interesting features
> (ACID). Eventually it will disappear."
>
> And:
>
> http://www.openldap.org/faq/data/cache/756.html
>
> "With back-ldbm, there is no fine-grain database locking. This means
write
> operations are serialized. And while multiple read operations may be
> performed concurrently, they cannot be performed concurrently with any
> write operation. Additionally, LDBM databases cannot be accessed by only
> one program at a time (generally at the file level). (While one may be
> able to bypass the locking mechanism, you will likely corrupt the database
> (and/or obtain bogus information).)
>
> With back-bdb, databases are locked on a page level, which means that
> multiple threads (and processes) can operate on the databases
> concurrently. In OpenLDAP 2.1.4 we lifted the restriction against using
> the slap tools while slapd is running on back-bdb. You can perform online
> backups using slapcat or BDB's db_dumputility without interrupting your
> LDAP service. You still must not use slapadd or slapindex while slapd is
> running (due to application-level caching in slapd(8))."
>
>
> Point to highlight for disaster recovery:
>
> "You can perform online backups using slapcat or BDB's
db_dumputility
> without interrupting your LDAP service."
>
> Therefore,
> can we update it for this and all the configuration that goes with using a
> bdb backend?
>
> I feel we are not doing the Samba community justice, if we are telling
> them to use lbdm.
>
> Thanks.
>
> --
> Kind Regards,
>
> Gavin Henry.
> Managing Director.
>
> T +44 (0) 1224 279484
> M +44 (0) 7930 323266
> F +44 (0) 1224 742001
> E ghenry@suretecsystems.com
>
> Open Source. Open Solutions(tm).
>
> http://www.suretecsystems.com/
-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.

Gavin Henry:
> The OpenLDAP stuff on this page:
>
>
> http://us4.samba.org/samba/docs/man/Samba-Guide/happy.html
>
>
> is not the preferred backend, i.e. ldbm, it really, really needs to be
> bdb.
>
> See:
>
>
>
http://www.openldap.org/faq/index.cgi?_highlightWords=bdb%20ldbm&file=108
> 5
Pointing LDAP users toward OpenLDAP.org will hopefully get them to see
that not only ldbm as backend is considered obsolete and is deprecated,
but also that OL 2.0 is considered obsolete, 2.1 is obsolescent and
deprecated and the latest stable version is 2.2.23. Which uses Sleepycat
BDB 4.2.52 mandatorily.

[...]
> I feel we are not doing the Samba community justice, if we are telling
> them to use lbdm.
ldbm as backend will ultimately seize up on production rigs, for a number
of reasons. So will BDB 4.1, though for different reasons (I've been
through it all myself). OpenLDAP 2.2.13 and higher with (patched) BDB
4.2.52 will keep on running for months without attention, even after
forced power-downs or -outages, with all of the advantages that you cite.
However, use of BDB 4.2.52 requires specialist configuration (DB_CONFIG)
for it to work at all satisfactorily.

Which brings me back to my own bugbear: Samba 3 people who want to use the
ldapsam DB backend should first and foremost be LDAP specialists, only
subsequently adapt their Samba installation to their already successful
LDAP implementation. I don't see how the Samba people can write all this
up in the standard docs and there is no single HOWTO on the subject.

--Tonni

--
mail: tonye@billy.demon.nl
http://www.billy.demon.nl