LDAP schema
Luke Kenneth Casson Leighton
lkcl at switchboard.net
Sun Nov 29 18:33:57 GMT 1998
On Fri, 27 Nov 1998, Matt Chapman wrote:
> LDAP support is coming along well, and I would like some comments as to the
> schema.
>
> In particular I need Luke's input as to storing uids/gids vs storing RIDs vs
> both.
ok.
you need _one_ field that is common between the unix database and the ldap
one, i recommend the unix uid field. that means that the username _could_
be different (an NT username).
or, you could put both names in: unixusername and ntusername. if you
don't, then we'll have to go via a text file
/usr/local/samba/lib/domainusername.map to resolve between ntusernames and
unixnames.
this could be a bit of a pain if someone wants to suck a SAM database out
of an NT server and create an LDAP one.
i also recommend that you add a User RID and a Primary Group RID field, to
make life easier for SAM suckers.
> Also how does one add users to groups and aliases (in terms of the api)?
> Have I misunderstood something here?
for now, don't worry about the group issues. let's stick with the
UNIX-lookup code, which seems to do a good job. unless you _want_ to do
it, that is :-)
> In any case here are some examples of the current schema.
>
> ---------------------------------------------------
> sambaAccount (compatible with RFC2307 posixAccount)
> ---------------------------------------------------
>
> dn: uid=matty, dc=mycorp, dc=com
> objectClass: posixAccount
> objectClass: sambaAccount
> uid: matty
> cn: Matthew Chapman
> description: Just another account
> uidNumber: 500
> gidNumber: 500
> homeDirectory: /home/matty
>
> // Now the Samba extensions
> lmPassword: 46E389809F8D55BB78A48108148AD508
> ntPassword: 1944CCE1AD6F80D8AEC9FC5BE77696F4
> pwdLastSet: 35C11F1B
> smbHome: \\server\share
> homeDrive: Z
> script: logon.bat
> profile: \\server\profile
> workstations: MYPC
>
> // and smbgrp stuff. currently I put RIDs here like in smbgroupfile.
> group: 2040
> alias: 2120
> alias: 2410
>
>
> -----------------------------------------------
> sambaGroup (compatible with RFC2307 posixGroup)
> -----------------------------------------------
>
> dn: cn=Domain Admins, dc=mycorp, dc=com
> objectClass: posixGroup
> objectClass: sambaGroup
> cn: Domain Admins
> description: Domain administration group
> gidNumber: 510
need ridNumber in here, too.
> uidMember: matty
> uidMember: testuser
good. look at DOMAIN_GRP_MEMBER in smb.h
>
> ----------
> sambaAlias
> ----------
>
> dn: cn=Administrators, dc=mycorp, dc=com
> objectclass: sambaAlias
> cn: Administrators
> description: Local administrators
> gidNumber: 520
need ridNumber in here, too.
> member: (MYDOM\Domain Admins, S-1-5-21-2636145155-1092092370-2737775054-200, 5)
> member: (MYDOM\matty, S-1-5-21-2636145155-1092092370-2737775054-7D0, 1)
member: SOMEOTHERDDOMAIN\somerandomgrouporuser, S-1-5-some-sid-rids,
SID_NAME_XXXX
member: BUILTIN\....
look at LOCAL_GRP_MEMBER in smb.h. oh yehhh, it looks like you have: i
checked up the ,5 and it's SID_NAME_WKN_GRP, which "Domain Admins" most
certainly is :-)
we *might* have to have a sambaBUILTIN, too...
More information about the samba-technical
mailing list