[Samba] core & cosine schema items in Samba AD DC user object?

Rowland Penny rpenny at samba.org
Tue Mar 26 14:49:02 UTC 2024 

On Tue, 26 Mar 2024 14:50:41 +0100
Franta Hanzlík <franta at hanzlici.cz> wrote:

> On Tue, 26 Mar 2024 08:01:27 +0000
> Rowland Penny via samba <samba at lists.samba.org> wrote:
> 
> > On Tue, 26 Mar 2024 02:57:51 +0100
> > Franta Hanzlík via samba <samba at lists.samba.org> wrote:
> > 
> > > Please, it is possible (perhaps with some Samba schema
> > > extension?) to have items as 'c' (countryName), 'l'
> > > (localityName), 'l' (localityName), 'co' (friendlyCountryName),
> > > 'street' (streetAddress), 'displayName' etc. in the description
> > > of the USER object?  
> > 
> > It is very possible, because they are standard components of the AD
> > schema:
> > 
> > dn: CN=Country-Name,CN=Schema,CN=Configuration,DC=X
> > lDAPDisplayName: c
> > 
> > dn: CN=Locality-Name,CN=Schema,CN=Configuration,DC=X
> > lDAPDisplayName: l
> > 
> > dn: CN=Text-Country,CN=Schema,CN=Configuration,DC=X
> > lDAPDisplayName: co
> > 
> > dn: CN=Street-Address,CN=Schema,CN=Configuration,DC=X
> > lDAPDisplayName: street
> > 
> > dn: CN=Display-Name,CN=Schema,CN=Configuration,DC=X
> > lDAPDisplayName: displayName
> 
> Yeah, it is super!
> My mistake was - before I was only looking in the 
> /etc/openldap/schema/samba.schema file, where these attributes are
> not there. But now I can see them in the 
> /usr/share/samba/setup/ad-schema/AD_DS_Attributes__Windows_Server_2016.ldf 
> file (which is perhaps what the Samba uses as its schema).
> 
> > > 
> > > And then how to manage them? The "samba-tool user add" doesn't
> > > seem to have a corresponding switch...  
> > 
> > That would be up to you writing your own script to add them, unless
> > you would care to update samba-tool to do this ;-)
> 
> Maybe these attributes can be supplemented with some Windows tool
> (RSAT/ ADUC), I haven't tried it yet.
> 
> What I just tried - add these attributes to AD with ldbmodify and a
> pre- prepared LDIF file (as:
> 
> dn: CN=Pepík,OU=dobří,OU=kamarádi,DC=ad,DC=hanzlici,DC=cz
> changetype: modify
> add: l
> l: Plzeň
> 
> ) - and it works well, thus problem is solved.
> 
> And another finding - adding a non-existent attribute such as
> Locality-Name (
> 
> dn: CN=Pepík,OU=dobří,OU=kamarádi,DC=ad,DC=hanzlici,DC=cz
> changetype: modify
> add: Locality-Name
> Locality-Name: Plzeň
> 
> to the schema (I mistakenly thought that e.g. the 'l' attribute is an 
> external/LDAP alias for the internal "Locality-Name" attribute used 
> by Samba) will not fail, and the USER object will have both "l" and 
> "Locality-Name" attributes. Is it ok that I can add any nonsense 
> (attribute not in schema) to the object?


I do not think you are quite understanding this,

The 'DN': CN=Locality-Name,CN=Schema,CN=Configuration,DC=X

Is what it is called in the AD schema.

The actual attribute that you use is the 'lDAPDisplayName', in this
case 'l'

So you would use an ldif like this:

dn: CN=Pepík,OU=dobří,OU=kamarádi,DC=ad,DC=hanzlici,DC=cz
changetype: modify
add: l
l: Plzeň

Rowland

More information about the samba mailing list