From Free IPA

SCOPE: PAGE IS OBSOLETE.

Contents 1 Overview 2 Attribute Linking 3 Current Code 3.1 OpenLDAP Configuration 3.2 Provisioning Tool 4 Proposed Changes 4.1 DS Configuration 4.2 Provisioning Tool 5 Issues 6 Samba Patches 7 References

Overview

Samba currently uses several methods to maintain links between objects in the directory:

• linked_attributes LDB module for TDB and DS backend
• memberof and refint overlay for OpenLDAP backend

DS provides Linked Attributes and Referential Integrity plugins which can be used to achieve the same goal. Samba provisioning tool should be modified to utilize these plugins.

Attribute Linking

Attribute linking is defined using the linkID attribute in Active Directory schema. An attribute with linkID n is linked to another attribute with linkID n+1. See the following example:

cn: Member
ldapDisplayName: member
linkID: 2

cn: Is-Member-Of-DL
ldapDisplayName: memberOf
linkID: 3

In this example the member attribute is linked to the memberOf attribute.

Suppose in the DIT there's already an entry as follows:

dn: CN=Administrator,CN=Users,DC=example,DC=com

Suppose a new entry is added with a link pointing to the above entry:

dn: CN=Enterprise Admins,CN=Users,DC=example,DC=com
member: CN=Administrator,CN=Users,DC=example,DC=com

A new attribute will be added to the target entry pointing back to the new entry:

dn: CN=Administrator,CN=Users,DC=example,DC=com
memberOf: CN=Enterprise Admins,CN=Users,DC=example,DC=com

Current Code

OpenLDAP Configuration

The template for the memberof overlay configuration is stored in source4/setup/memberof.conf:

overlay memberof
memberof-dn cn=samba-admin,cn=samba
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad ${MEMBER_ATTR}
memberof-memberof-ad ${MEMBEROF_ATTR}
memberof-dangling-error 32

The template for the refint overlay configuration is stored in source4/setup/refint.conf:

overlay refint
refint_modifiersName cn=samba-admin,cn=samba
refint_attributes ${LINK_ATTRS}

Provisioning Tool

The provision_openldap_backend() uses the following code to configure attribute linking in OpenLDAP:

lnkattr = get_linked_attributes(names.schemadn,schema.ldb)

refint_attributes = ""
memberof_config = ""

for att in  lnkattr.keys():

    refint_attributes = refint_attributes + " " + att 

    memberof_config += read_and_sub_file(setup_path("memberof.conf"),
        { "MEMBER_ATTR" : att ,
          "MEMBEROF_ATTR" : lnkattr[att] })

Proposed Changes

DS Configuration

The Linked Attributes Plugin should be configured as follows:

dn: cn=${MEMBER_ATTR} to ${MEMBEROF_ATTR},cn=Linked Attributes,cn=plugins,cn=config
objectclass: extensibleObject
cn: ${MEMBER_ATTR} to ${MEMBEROF_ATTR}
linkType: ${MEMBER_ATTR}
managedType: ${MEMBEROF_ATTR}

The Referential Integrity Plugin should be configured as follows:

dn: cn=referential integrity postoperation,cn=plugins,cn=config
nsslapd-pluginArg0: 0
nsslapd-pluginArg1: %log_dir%/referint
nsslapd-pluginArg2: 0
nsslapd-pluginArg3: ${ATTR1}
nsslapd-pluginArg4: ${ATTR2}
nsslapd-pluginArg5: ${ATTR3}
...

The attributes must have an equality index. See also this page.

Provisioning Tool

The provision_fds_backend() should uses a similar code to configure attribute linking in DS.

Issues

There is a minor issue in DS:

• Use proper attribute names for plugin parameters

Samba Patches

• s4:provision - replaced linked_attributes with FDS plugins

References

• Linked Attributes Design
• MemberOf Plugin
• Reverse Group Membership Maintenance
• slapo-memberof(5)
• Maintaining Referential Integrity
• The MemberOf Plug-in Syntax
• Managing Indexes
• Creating Standard Indexes