LDAP schema
Matt Chapman
m.chapman at student.unsw.edu.au
Fri Nov 27 09:59:37 GMT 1998
Jean Francois Micouleau wrote:
> On Fri, 27 Nov 1998, Matt Chapman wrote:
>
> > A number of those attributes aren't of very much use to us though; they
> > only surface at certain info levels which it would be absurd to add
> > passdb routines for, or provide functionality which won't be in Samba
> > while we are still tied to the existing databases. And in a few years
> > time who knows what we'll need...
>
> Check again, most of them are in the user_info_21 struct.
OK, at a glance at least the following aren't (but I'm not trying to be
provocative here).
objectSid
adminCount
badPasswordTime
badPwdCount
codePage
controlAccessRights
countryCode
groupMembershipSAM
lmPwdHistory
localeID
loginCount
logonWorkstation
maxStorage
ntPwdHistory
operatorCount
otherLoginWorkstations
policyName
policyOptions
preferredOU
securityDescriptor
revision
> > Maybe we need a whole new strategy for obtaining user & group
> > information... perhaps something along the lines of open_user,
> > get_user_attribute (so that an extensible set of attributes could be
> > queried), close_user... Well, it would certainly make the LDAP
> > implementation easier :-)
>
> Why do you think the passdb.c API is for ? That's exactly what we done
> Luke and I in April/May ! It was all abstracted in an API exacly because I
> wanted to store more attributes in the LDAP database than what was
> available in the smbpasswd file.
The passdb.c API manipulates smb_passwd, sam_passwd, and sam_disp_info
structures. There may be other pieces of information that we may in the future
want to store about users, for instance the list above (badPwdCount et al
especially).
Are we going to add new functions to each password database for every new
USER_INFO_xx that has some new piece of information that we can't get from
existing data? Do we need to retrieve a whole sam_passwd struct when all we want
is one attribute?
Anyway the passdb.c API is definitely a good thing and will serve our current
needs. I was just daydreaming, don't take any notice :-)
> > I would like to see what Luke has to say on the issue of storing RIDs, SIDs,
> > etc. as opposed to generating them..., but certainly in the schema I'll be
> > adding a few more attributes to those in that example.
>
> We debated this already with Luke and Jeremy some months ago.
> The standard case is where the users don't have any RID, you generate them
> based on the UID, using Jeremy's mapping.
>
> The second case, is when you're migrating from an NT-Domain to a
> Samba-Domain, and you want to keep the RID
OK. Will store RIDs and use them if they are available.
> > I did have a look at Microsoft's AD docs before and they seem to go into their
> > new NT5 groups schema in great detail but not say very much about individual
> > user information... was I looking in the wrong place?
>
> Last time I checked the AD schema on MS web server was outdated. You have
> to find an NT5 beta 2 CD to have the latest version.
If I see one floating about I will have a look. In the meantime, I will stick by
Luke's comment - "unix is more important" :-)
Matt
--
Matt Chapman
E-mail: mattyc at cyberdude.com
More information about the samba-technical
mailing list