[PATCH] Add external-schema directory

William Brown william at blackhats.net.au
Mon Apr 30 22:24:54 UTC 2018 

On Mon, 2018-04-30 at 08:43 +0300, Alexander Bokovoy via samba-
technical wrote:
> Hi,
> 
> On ma, 30 huhti 2018, William Brown via samba-technical wrote:
> > Hi,
> > 
> > There are a small number of useful external schemas that we should
> > provide. Instead of letting admins pull these from the internel, we
> > should ship some useful schema that we know is correct and able to
> > extend the directory for broader unix application use.
> 
> How would you propose installing them? The patch doesn't address this
> part other than README document, so how they would be installed?
> You'd
> need to add bit of bld.INSTALL_WILDCARD() to the
> source4/setup/wscript_build

I think I did? They install for me?

find /usr/local/samba | grep -i external
/usr/local/samba/share/setup/external-schema
/usr/local/samba/share/setup/external-schema/README.txt
/usr/local/samba/share/setup/external-schema/ns.ldif
/usr/local/samba/share/setup/external-schema/sshpubkey.ldif

Maybe you mean application of the schema to the cn=schema partition? 

> 
> Perhaps, DC=.. parts need to be changed to be consistent with
> schema_samba4.ldif which uses ${SCHEMADN}.

This is a good idea. I'll update this. 

Andrew Bartlett (whom I am seeing this week) has suggested to me in
person that I extend this to cover the other UUID types that I
mentioned (entryUUID notably). We are discussing some ideas about an
LDB module that could generate these also, but the main goal would be
migration compatability. Of course, given how "static" AD schema is in
contrast to 389ds/ipa, I'm worried about going too far since we can not
easily back-out of a change. We also have to consider "schema mods on
upgrade too" in case we extend this also. 

> 
> Also, it may be good to provide a 'samba-tool' subcommand that plugs
> into some of the code in python/samba/provision.

That was my next idea. I was however following the "break the patches
up idea" :) 

I have a stack of commands still under review by people, so I'm a
little hesitant to "keep piling on code" until they are accepted. I'd
really want this to be part of the schema command. In my mind I think
something like this would be a good work flow

samba-tool schema external list
<list of external schemas we can add>
samba-tool schema external show <name>
<cat the content of the ldif>
samba-tool schema external apply <name>
<apply the schema to the directory>

The benefit of "apply" is that we can do the correct appending of
auxilaryClass to the person object class - we can't do it in the ldif
because you need to know all CURRENT auxclass values for the ldap mod,
so having this in a tool makes it significantly easier and safer.

What do you think of this? 

Another suggestion from Andrew was to have an "extended" mode in
provision that automatically applies this schema compatability. Kind of
like "DC++" mode that has some extra unix integration goodies. But I
think that requires me to document what I have in my mind about
integration options, and needs some planning and understanding. We
can't just rush into that one. 

> 
> For schemaIDGUID would be good to add a comment above the attribute
> definition that has the GUID in a readable form.

Yes, this is a good idea. I'll add that. 

> 
> > 
> > The two schemas in this patch are for ssh public key storage in
> > LDAP,
> > and nsUniqueId compatability for migrations from SUN-DS/389
> > Directory
> > Server applications.
> > 
> > Thanks,
> > 
> > William
> > From e5f71309b6c2aaf4cc395cd86de1161a83e59167 Mon Sep 17 00:00:00
> > 2001
> > From: William Brown <william at blackhats.net.au>
> > Date: Mon, 30 Apr 2018 15:23:14 +1200
> > Subject: [PATCH] source4/setup/external-schema: Add ns compat and
> > sshpubkey
> > 
> > Add externally provided schema files that can be applied to a
> > domain. This
> > prevents admins needing to apply "random ldifs" from the internet.
> > The two
> > external schemas are for sshpublic key storage in LDAP, and the
> > second is
> > a 389 Directory Server compatability attribute for UUID mapping.
> > 
> > Signed-off-by: William Brown <william at blackhats.net.au>
> > ---
> >  source4/setup/external-schema/README         |  6 ++++++
> >  source4/setup/external-schema/README.txt     | 11 +++++++++++
> >  source4/setup/external-schema/ns.ldif        | 29
> > ++++++++++++++++++++++++++++
> >  source4/setup/external-schema/sshpubkey.ldif | 29
> > ++++++++++++++++++++++++++++
> >  4 files changed, 75 insertions(+)
> >  create mode 100644 source4/setup/external-schema/README
> >  create mode 100644 source4/setup/external-schema/README.txt
> >  create mode 100644 source4/setup/external-schema/ns.ldif
> >  create mode 100644 source4/setup/external-schema/sshpubkey.ldif
> > 
> > diff --git a/source4/setup/external-schema/README
> > b/source4/setup/external-schema/README
> > new file mode 100644
> > index 00000000000..a8416b94792
> > --- /dev/null
> > +++ b/source4/setup/external-schema/README
> > @@ -0,0 +1,6 @@
> > +This is a set of external LDIF schemas that are useful - but not
> > installed
> > +by default.
> > +
> > +They exist so that rather than applying random internet LDIF's we
> > can guide
> > +people to use these instead.
> > +
> > diff --git a/source4/setup/external-schema/README.txt
> > b/source4/setup/external-schema/README.txt
> > new file mode 100644
> > index 00000000000..844246d4dab
> > --- /dev/null
> > +++ b/source4/setup/external-schema/README.txt
> > @@ -0,0 +1,11 @@
> > +This is a set of external LDIF schemas that are useful - but not
> > installed
> > +by default.
> > +
> > +They exist so that rather than applying random internet LDIF's we
> > can guide
> > +people to use these instead.
> > +
> > +To apply these, you need to copy them and replace 'DC=X' with your
> > domain DN.
> > +
> > +They can then be applied with ldapmodify -f <name>.ldif. You will
> > need to
> > +authenticate with an account that is a member of Schema Admins.
> > +
> > diff --git a/source4/setup/external-schema/ns.ldif
> > b/source4/setup/external-schema/ns.ldif
> > new file mode 100644
> > index 00000000000..caeb584d206
> > --- /dev/null
> > +++ b/source4/setup/external-schema/ns.ldif
> > @@ -0,0 +1,29 @@
> > +
> > +dn:
> > CN=nsUniqueId,CN=Schema,CN=Configuration,DC=blackhats,DC=net,DC=au
> > +changetype: add
> > +objectClass: top
> > +objectClass: attributeSchema
> > +attributeID: 2.16.840.1.113730.3.1.542
> > +cn: nsUniqueId
> > +name: nsUniqueId
> > +lDAPDisplayName: nsUniqueId
> > +description: MANDATORY: nsUniqueId compatability
> > +attributeSyntax: 2.5.5.10
> > +oMSyntax: 4
> > +isSingleValued: TRUE
> > +searchFlags: 9
> > +
> > +dn:
> > CN=nsOrgPerson,CN=Schema,CN=Configuration,DC=blackhats,DC=net,DC=au
> > +changetype: add
> > +objectClass: top
> > +objectClass: classSchema
> > +governsID: 2.16.840.1.113730.3.2.334
> > +cn: nsOrgPerson
> > +name: nsOrgPerson
> > +description: MANDATORY: Netscape DS compat person
> > +lDAPDisplayName: nsOrgPerson
> > +subClassOf: top
> > +objectClassCategory: 3
> > +defaultObjectCategory:
> > CN=nsOrgPerson,CN=Schema,CN=Configuration,DC=blackhats,DC=net,DC=au
> > +mayContain: nsUniqueId
> > +
> > diff --git a/source4/setup/external-schema/sshpubkey.ldif
> > b/source4/setup/external-schema/sshpubkey.ldif
> > new file mode 100644
> > index 00000000000..439feda8e1a
> > --- /dev/null
> > +++ b/source4/setup/external-schema/sshpubkey.ldif
> > @@ -0,0 +1,29 @@
> > +dn:
> > CN=sshPublicKey,CN=Schema,CN=Configuration,DC=adt,DC=blackhats,DC=n
> > et,DC=au
> > +changetype: add
> > +objectClass: top
> > +objectClass: attributeSchema
> > +attributeID: 1.3.6.1.4.1.24552.500.1.1.1.13
> > +schemaIDGUID:: fHCvUrxcsUSrYRq8nUvw5Q==
> > +cn: sshPublicKey
> > +name: sshPublicKey
> > +lDAPDisplayName: sshPublicKey
> > +description: MANDATORY: OpenSSH Public key
> > +attributeSyntax: 2.5.5.10
> > +oMSyntax: 4
> > +isSingleValued: FALSE
> > +
> > +dn:
> > CN=ldapPublicKey,CN=Schema,CN=Configuration,DC=adt,DC=blackhats,DC=
> > net,DC=au
> > +changetype: add
> > +objectClass: top
> > +objectClass: classSchema
> > +governsID: 1.3.6.1.4.1.24552.500.1.1.2.0
> > +schemaIDGUID:: yfKd3707f0qnSxgXE9qYeA==
> > +cn: ldapPublicKey
> > +name: ldapPublicKey
> > +description: MANDATORY: OpenSSH LPK objectclass
> > +lDAPDisplayName: ldapPublicKey
> > +subClassOf: top
> > +objectClassCategory: 3
> > +defaultObjectCategory:
> > CN=ldapPublicKey,CN=Schema,CN=Configuration,DC=adt,DC=blackhats,DC=
> > net,DC=au
> > +mayContain: sshPublicKey
> > +
> > -- 
> > 2.14.3
> > 
> 
>

More information about the samba-technical mailing list