LDAP schema

Mon Nov 30 14:38:56 GMT 1998

On Mon, 30 Nov 1998, Matt Chapman wrote:

> Luke Kenneth Casson Leighton wrote:
> 
> > or, you could put both names in: unixusername and ntusername.  if you
> > don't, then we'll have to go via a text file
> > /usr/local/samba/lib/domainusername.map to resolve between ntusernames and
> > unixnames.
> 
> ok, but in general we're really going to have to create unix users with the same
> name (or some mangled variation thereof) as the NT name, and vice versa.

i wrote you a little note, it says basically that it is sensible to
enforce same unix name as nt name, if we're going to use rfc2037 as a
starting point.

> Especially since soon we're going to have to get User Manager administering
> Samba

that's underway, and it already works.  read-only.

> (either that or add another fifty switches to smbpasswd...) and there's
no
> way for that to tell us what Unix username to create.

that's... marginally irrelevant: it depends on the implementation (you,
for ldap :-)

[basically, you ought to know that i do not hold unix, nt or samba in high
regard (or any code or any well-established system) *except* where it's
pretty obvious that it's really good, and it works, and it does the job,
and we can get a good leg-up and have less work to do if we follow its
example].

> > this could be a bit of a pain if someone wants to suck a SAM database out
> > of an NT server and create an LDAP one.
> 
> This is a very cool idea, a utility along the lines of pwdump that sucks ALL of
> the information out of the SAM, including the domain SID etc, into LDIF format
> ready for Samba to use... It would certainly simplify the *upgrade* path :-)

yeahhh

> Yep, that's definitely on my todo list.
> 
> > i also recommend that you add a User RID and a Primary Group RID field, to
> > make life easier for SAM suckers.
> 
> Done.

ace.

> > > Also how does one add users to groups and aliases (in terms of the api)?
> > > Have I misunderstood something here?
> >
> > for now, don't worry about the group issues.  let's stick with the
> > UNIX-lookup code, which seems to do a good job.  unless you _want_ to do
> > it, that is :-)
> 
> Well, i've already written passgrpldap.c, groupldap.c and aliasldap.c... it's

cool!  ok, where?  passdb/groupldap.c or groupdb/groupldap.c?

> just that you need to add users to groups with ldapmodify, there doesn't seem to
> be any api for it. Is there? What were you intending to do?

ok, i've _started_ on it (i decoded the stuff, i just need to create code
for it, i'm going to do client-side first, then server-side, using
SMB_FILE_DB defines (aliasfile.c, groupfile.c etc) as an example, then
when i'm happy, i'll be in a position to explain things if it's not
obvious from the code.

this _should_ all be really simple, you know :-) :-)