Yo folks,
Getting some clarification from stepfd!, I understand better his question but then this opens room for further discussions and debate about this “ldap vs. Samba 4” design choice. Most likely aspects you already discussed in the past, I didn’t search this forum…
What I told to Stephane is that both LDAP and S4-LDAP (if we say that S4-LDAP stands for the "AD like LDAP deployed by Samba 4) allow external applications authentication using LDAP protocol, both being LDAP servers. However, obviously, schema differs and this also impacts the way applications are accessing it.
What makes me react and initiate this answer is the strategy behind use of Samba4:
- there is no debate: not offering Samba4 support would be a wrong idea. All competitors do it already
- Samba4 means Windows DC (and AD like LDAP back-end) which is useful only if your workstations are Windows pro (to authenticate against Windows domain) or if you decide to rely on Kerberos clients. Any other good reason I don’t perceive here ?
- S4-LDAP is, like AD, not flexible. It will support some external applications but in case you need to customize schema, then it will not be supported, which strongly limits its scope.
- On the other hand, standard LDAP server (OpenLDAP) is flexible, permits external applications to rely on it for authentication and more (including Samba…)
Having to decide whether LDAP server do be deployed in NS is Ldap or S4-LDAP means that all “internal” applications have to maintain 2 different configurations in order to access LDAP back-end with the right setting. This is painful and doesn’t permit external applications to easily use NS LDAP server (especially if deployment includes Samba). That’s the reason why most NS competitors decide to maintain the 2 directories in parallel with sync process in the middle.
If I understand well, Samba team plans to evolve with their design as they do understand the side effect but I’m not aware of any plan (I don’t track it closely neither.