LDAP schema

Luke Kenneth Casson Leighton lkcl at switchboard.net
Sun Nov 29 18:33:57 GMT 1998

On Fri, 27 Nov 1998, Matt Chapman wrote:

> LDAP support is coming along well, and I would like some comments as to the
> schema.
> In particular I need Luke's input as to storing uids/gids vs storing RIDs vs
> both.


you need _one_ field that is common between the unix database and the ldap
one, i recommend the unix uid field.  that means that the username _could_
be different (an NT username).

or, you could put both names in: unixusername and ntusername.  if you
don't, then we'll have to go via a text file
/usr/local/samba/lib/domainusername.map to resolve between ntusernames and

this could be a bit of a pain if someone wants to suck a SAM database out
of an NT server and create an LDAP one.

i also recommend that you add a User RID and a Primary Group RID field, to
make life easier for SAM suckers.

> Also how does one add users to groups and aliases (in terms of the api)?
> Have I misunderstood something here?

for now, don't worry about the group issues.  let's stick with the
UNIX-lookup code, which seems to do a good job.  unless you _want_ to do
it, that is :-)

> In any case here are some examples of the current schema.
> ---------------------------------------------------
> sambaAccount (compatible with RFC2307 posixAccount)
> ---------------------------------------------------
> dn: uid=matty, dc=mycorp, dc=com
> objectClass: posixAccount
> objectClass: sambaAccount
> uid: matty
> cn: Matthew Chapman
> description: Just another account
> uidNumber: 500
> gidNumber: 500
> homeDirectory: /home/matty
> // Now the Samba extensions
> lmPassword: 46E389809F8D55BB78A48108148AD508
> ntPassword: 1944CCE1AD6F80D8AEC9FC5BE77696F4
> pwdLastSet: 35C11F1B
> smbHome: \\server\share
> homeDrive: Z
> script: logon.bat
> profile: \\server\profile
> workstations: MYPC
> // and smbgrp stuff. currently I put RIDs here like in smbgroupfile.
> group: 2040
> alias: 2120
> alias: 2410
> -----------------------------------------------
> sambaGroup (compatible with RFC2307 posixGroup)
> -----------------------------------------------
> dn: cn=Domain Admins, dc=mycorp, dc=com
> objectClass: posixGroup
> objectClass: sambaGroup
> cn: Domain Admins
> description: Domain administration group
> gidNumber: 510

need ridNumber in here, too.

> uidMember: matty
> uidMember: testuser

good.  look at DOMAIN_GRP_MEMBER in smb.h
> ----------
> sambaAlias
> ----------
> dn: cn=Administrators, dc=mycorp, dc=com
> objectclass: sambaAlias
> cn: Administrators
> description: Local administrators
> gidNumber: 520

need ridNumber in here, too.

> member: (MYDOM\Domain Admins, S-1-5-21-2636145155-1092092370-2737775054-200, 5)
> member: (MYDOM\matty, S-1-5-21-2636145155-1092092370-2737775054-7D0, 1)

member: SOMEOTHERDDOMAIN\somerandomgrouporuser, S-1-5-some-sid-rids,

member: BUILTIN\....

look at LOCAL_GRP_MEMBER in smb.h.  oh yehhh, it looks like you have: i
checked up the ,5 and it's SID_NAME_WKN_GRP, which "Domain Admins" most
certainly is :-)

we *might* have to have a sambaBUILTIN, too...

More information about the samba-technical mailing list