banners
From Free IPA
SCOPE: PAGE IS OBSOLETE.
Contents |
Overview
Some of the attribute types and object classes in Active Directory schema are incompatible with the standard LDAP schema. When Samba is running by itself on DS it only includes the core standard LDAP schema so there is no issue. However, when integrated with IPA this becomes a problem because IPA uses the full standard LDAP schema so there are some conflicts.
This problem can be solved by renaming the conflicting AD schema. Samba already has a mechanism to translates object classes and attribute types. It needs to be expanded to include all conflicting schema.
For example, the standard the person object class requires cn and sn. However, in AD schema the object class person only requires cn. With this solution the AD person will be renamed to samba4Person when stored in DS.
For other AD attribute types and object classes that have identical/compatible definitions in the standard LDAP schema, Samba should just use the standard LDAP schema.
Schema Mapping
DS Schema
The following AD attributes are compatible with DS schema.
| AD Attribute | DS Attribute |
|---|---|
| name | name |
| objectClasses | objectClasses |
| createTimeStamp | createTimeStamp |
| attributeTypes | attributeTypes |
| objectClass | objectClass |
| userPassword | userPassword |
| seeAlso | seeAlso |
| modifyTimeStamp | modifyTimeStamp |
| distinguishedName | distinguishedName |
| description | description |
| cn | cn |
| dITContentRules | dITContentRules |
| top | top |
| homePostalAddress | homePostalAddress |
| info | info |
| displayName | displayName |
| employeeName | employeeName |
| employeeType | employeeType |
| personalTitle | personalTitle |
| co | co |
| unixHomeDirectory | homeDirectory |
| userSMIMECertificate | userSMIMECertificate |
Samba 3 Schema
The following AD attributes are compatible with Samba 3 schema.
| AD Attribute | Samba 3 Attribute |
|---|---|
| pwdLastSet | sambaPwdLastSet |
| lastLogon | sambaLogonTime |
| lastLogoff | sambaLogoffTime |
| badPwdCount | sambaBadPasswordCount |
| logonHours | sambaLogonHours |
| homeDrive | sambaHomeDrive |
| scriptPath | sambaLogonScript |
| profilePath | sambaProfilePath |
| userWorkstations | sambaUserWorkstations |
| homeDirectory | sambaHomePath |
| groupType | sambaGroupType |
| nextRid | sambaNextRid |
| privilegeDisplayName | sambaPrivName |
Conflicting Attribute Types
The following AD attributes are incompatible with DS attributes. The solution is to rename the attributes and/or change the OID's.
| AD Attribute | DS Attribute | Solution |
|---|---|---|
| fRSDirectoryFilter
OID: 1.2.840.113556.1.4.484 | calOtherCAPURIs (60rfc2739.ldif)
OID: 1.2.840.113556.1.4.484 | fRSDirectoryFilter
OID: fRSDirectoryFilter-oid |
| fRSFileFilter
OID: 1.2.840.113556.1.4.483 | calOtherFBURLs (60rfc2739.ldif)
OID: 1.2.840.113556.1.4.483 | fRSFileFilter
OID: fRSFileFilter-oid |
| fRSUpdateTimeout
OID: 1.2.840.113556.1.4.485 | calOtherCalAdrURIs (60rfc2739.ldif)
OID: 1.2.840.113556.1.4.485 | fRSUpdateTimeout
OID: fRSUpdateTimeout-oid |
| thumbnailLogo
OID: 2.16.840.1.113730.3.1.36 | nsLicensedFor (02common.ldif)
OID: 2.16.840.1.113730.3.1.36 | thumbnailLogo
OID: thumbnailLogo-oid |
| thumbnailPhoto
OID: 2.16.840.1.113730.3.1.35 | changeLog (02common.ldif)
OID: 2.16.840.1.113730.3.1.35 | thumbnailPhoto
OID: thumbnailPhoto-oid |
| schemaUpdate
OID: 1.2.840.113556.1.4.481 | calCalAdrURI (60rfc2739.ldif)
OID: 1.2.840.113556.1.4.481 | schemaUpdate
OID: schemaUpdate-oid |
Conflicting Object Classes
The following AD object classes are incompatible with DS object classes. The solution is to rename the object class and/or change the OID's.
| AD Object Class | DS Object Class | Solution |
|---|---|---|
| domain | domain (05rfc4524.ldif) | samba4Domain |
| rFC822LocalPart
OID: 0.9.2342.19200300.100.4.14 | rFC822localPart (05rfc4524.ldif)
OID: 0.9.2342.19200300.100.4.14 | samba4RFC822LocalPart
OID: samba4RFC822LocalPart-oid |
| mailRecipient | mailRecipient (50ns-mail.ldif) | samba4MailRecipient |
| nisMap | nisMap (10rfc2307.ldif) | samba4NisMap |
| person
OID: 2.5.6.6 | person (00core.ldif)
OID: 2.5.6.6 | samba4Person
OID: samba4Person-oid |
| residentialPerson
OID: 2.5.6.7 | residentialPerson (00core.ldif)
OID: 2.5.6.7 | samba4ResidentialPerson
OID: samba4ResidentialPerson-oid |
| organizationalPerson
OID: 2.5.6.7 | organizationalPerson (00core.ldif)
OID: 2.5.6.7 | samba4OrganizationalPerson
OID: samba4OrganizationalPerson-oid |
| inetOrgPerson
OID: 2.16.840.1.113730.3.2.2 | inetOrgPerson (06inetorgperson.ldif)
OID: 2.16.840.1.113730.3.2.2 | samba4InetOrgPerson
OID: samba4InetOrgPerson-oid |
Current Code
Schema Conversion
Some of the schema conversions are already configured at source4/setup/schema-map-fedora-ds-1.0. The file uses the following format:
# Skip attribute/object class <attribute/object class> ... # Rename OID/attribute/object class <old OID/attribute/object class>:<new OID/attribute/object class> ...
The conversion code is located in source4/dsdb/schema/schema_convert_to_ol.c:
char *dsdb_convert_schema_to_openldap(struct ldb_context *ldb,
char *target_str, const char *mappings)
{
}
Current the code doesn't map the object class parent.
Mapping Module
The mapping module is located at source4/dsdb/samdb/ldb_modules/simple_ldap_map.c. It maintains a separate mapping configuration:
| Local Name | Remote Name | Convert Local | Convert Remote |
|---|---|---|---|
| objectGUID | nsuniqueid | guid_ns_string | encode_ns_guid |
| objectSid | objectSid | sid_always_binary | val_copy |
| whenCreated | createTimestamp | ||
| whenChanged | modifyTimestamp | ||
| objectCategory | objectCategory | objectCategory_always_dn | val_copy |
| distinguishedName | entryDN | ||
| primaryGroupID | primaryGroupID | normalise_to_signed32 | val_copy |
| groupType | groupType | normalise_to_signed32 | val_copy |
| userAccountControl | userAccountControl | normalise_to_signed32 | val_copy |
| sAMAccountType | sAMAccountType | normalise_to_signed32 | val_copy |
| systemFlags | systemFlags | normalise_to_signed32 | val_copy |
| usnChanged | modifyTimestamp | usn_to_timestamp | timestamp_to_usn |
| usnCreated | createTimestamp | usn_to_timestamp | timestamp_to_usn |
The attribute mapping is stored in the following structure:
static const struct ldb_map_attribute nsuniqueid_attributes[] =
{
{
.local_name = "...",
.type = MAP_CONVERT | MAP_RENAME | MAP_KEEP,
.u = {
.convert = {
.remote_name = "...",
.convert_local = ...,
.convert_remote = ...,
}
}
},
{
.local_name = NULL
}
};
Currently there is no object class mapping for DS.
The module is initialized in the following method:
static int nsuniqueid_init(struct ldb_module *module)
{
ldb_map_init(module, nsuniqueid_attributes, NULL,
nsuniqueid_wildcard_attributes, "extensibleObject", NULL);
return ldb_next_init(module);
}
Proposed Changes
Adding Samba 3 Schema
Samba 3 schema and its dependencies have to be included during DS instance creation. The following lines should be added into source4/setup/fedorads.inf:
SchemaFile=/etc/dirsrv/schema/10rfc2307.ldif SchemaFile=/etc/dirsrv/schema/05rfc4523.ldif SchemaFile=/etc/dirsrv/schema/05rfc4524.ldif SchemaFile=/etc/dirsrv/schema/06inetorgperson.ldif SchemaFile=/usr/share/dirsrv/data/60samba3.ldif
Schema Conversion
The following schema conversion should be added:
#Standard FDS attributes homePostalAddress info displayName employeeNumber employeeType personalTitle co userSMIMECertificate #Remap into existing schema unixHomeDirectory unixHomeDirectory:homeDirectory pwdLastSet pwdLastSet:sambaPwdLastSet lastLogon lastLogon:sambaLogonTime lastLogoff lastLogoff:sambaLogoffTime badPwdCount badPwdCount:sambaBadPasswordCount logonHours logonHours:sambaLogonHours homeDrive homeDrive:sambaHomeDrive scriptPath scriptPath:sambaLogonScript profilePath profilePath:sambaProfilePath userWorkstations userWorkstations:sambaUserWorkstations homeDirectory homeDirectory:sambaHomePath groupType groupType:sambaGroupType nextRid nextRid:sambaNextRid privilegeDisplayName privilegeDisplayName:sambaPrivName #Resolve conflicting attributes 1.2.840.113556.1.4.484:fRSDirectoryFilter-oid 1.2.840.113556.1.4.483:fRSFileFilter-oid 1.2.840.113556.1.4.485:fRSUpdateTimeout-oid 2.16.840.1.113730.3.1.36:thumbnailLogo-oid 2.16.840.1.113730.3.1.35:thumbnailPhoto-oid 1.2.840.113556.1.4.481:schemaUpdate-oid #Resolve conflicting object classes domain:samba4Domain rFC822LocalPart:samba4RFC822LocalPart mailRecipient:samba4MailRecipient nisMap:samba4NisMap 0.9.2342.19200300.100.4.14:samba4RFC822LocalPart-oid person:samba4Person 2.5.6.6:samba4Person-oid organizationalPerson:samba4OrganizationalPerson 2.5.6.7:samba4OrganizationalPerson-oid residentialPerson:samba4ResidentialPerson 2.5.6.10:samba4ResidentialPerson-oid inetOrgPerson:samba4InetOrgPerson 2.16.840.1.113730.3.2.2:samba4InetOrgPerson-oid
The conversion code should be modified map the object class parent:
static char *print_schema_recursive(
char *append_to_string, struct dsdb_schema *schema, const char *print_class,
enum dsdb_schema_convert_target target,
const char **attrs_skip, const struct attr_map *attr_map, const struct oid_map *oid_map)
{
for (j=0; subClassOf && attr_map && attr_map[j].old_attr; j++) {
if (strcasecmp(subClassOf, attr_map[j].old_attr) == 0) {
subClassOf = attr_map[j].new_attr;
break;
}
}
}
Mapping Module
The following attribute mapping should be modified:
| Local Name | Remote Name | Convert Local | Convert Remote |
|---|---|---|---|
| groupType | sambaGroupType | normalise_to_signed32 | val_copy |
The following attribute mapping should be added:
| Local Name | Remote Name | Convert Local | Convert Remote |
|---|---|---|---|
| unixHomeDirectory | homeDirectory | ||
| pwdLastSet | sambaPwdLastSet | ||
| lastLogon | sambaLogonTime | ||
| lastLogoff | sambaLogoffTime | ||
| badPwdCount | sambaBadPasswordCount | ||
| logonHours | sambaLogonHours | ||
| homeDrive | sambaHomeDrive | ||
| scriptPath | sambaLogonScript | ||
| profilePath | sambaProfilePath | ||
| userWorkstations | sambaUserWorkstations | ||
| homeDirectory | sambaHomePath | ||
| nextRid | sambaNextRid | ||
| privilegeDisplayName | sambaPrivName |
The following object class mapping should be added:
| Local Name | Remote Name |
|---|---|
| domain | samba4Domain |
| rFC822LocalPart | samba4RFC822LocalPart |
| mailRecipient | samba4MailRecipient |
| nisMap | samba4NisMap |
| person | samba4Person |
| organizationalPerson | samba4OrganizationalPerson |
| residentialPerson | samba4ResidentialPerson |
| inetOrgPerson | samba4InetOrgPerson |
The object class mapping should stored in the following structure:
const struct ldb_map_objectclass nsuniqueid_objectclasses[] =
{
{
.local_name = "...",
.remote_name = "..."
},
{
.local_name = NULL
}
};
The module initialization should be changed to use the object class mapping:
static int nsuniqueid_init(struct ldb_module *module)
{
ldb_map_init(module, nsuniqueid_attributes, nsuniqueid_objectclasses,
nsuniqueid_wildcard_attributes, "extensibleObject", NULL);
return ldb_next_init(module);
}
Patches
The following patch has been applied to the source repository:
