OpenLDAP and Samba4

Gémes Géza geza at
Mon Apr 22 22:32:18 MDT 2013

2013-04-22 23:55 keltezéssel, Yoann Gini írta:
> Le 22 avr. 2013 à 19:27, Gémes Géza <geza at> a écrit :
>> Lots of attributes are different (conflicting) in the AD schema from those used by OpenLDAP or any other implementation. So bringing over ldif export files form existing LDAP directories won't work without changes, and could even need some patches for the software which used them.
> Attribute composition or replacement to deal with that kind of situation are something that we are used to…
> For my understanding of the AD system, the mains differences are the GPO applied to OU (but I don’t know how it’s saved and I’m curious about that) and some custom unique ID like de SID who look like to have a algorithmic conception.
> Mapping userPrincipalName to uid and userAccountControl to static value or to a microsoft-userAccountControl field is not a big deal for a system administrator.
> Conflicting attributes are just a question of mapping and you have the control on that point, you can translate on with some config file conflicting attributes. For things who don’t exist or exit in a bad format, we can handle a schema extension and an integration into the existing admin tools (for example to translate a password expiration date to a pwdLastSet boolean).
> Providing the content is the role of the system administrator, not yours. What you have to do on your side is asking us what you need and allowing us to map some names to fit your needs in our schema.
GPOs are saved as files in a subfolder of the sysvol share

Mapping user account related attributes was never (at least not 
recently) a problem on *nix, but there are other kinds of data which can 
be stored in a directory and not all software support mapping. Some 
simply expect a given attribute, and if that conflicts (already exist 
with different type, or EqualityMatch, etc.) with the AD schema imposed 
attribute you need to modify the given software.


Geza Gemes

More information about the samba-technical mailing list