Samba_4_Schema_Mapping#
Overview#
Some of the attribute types and object classes in Active Directory schema are incompatible with the standard LDAP schema. When Samba is running by itself on DS it only includes the core standard LDAP schema so there is no issue. However, when integrated with IPA this becomes a problem because IPA uses the full standard LDAP schema so there are some conflicts.
This problem can be solved by renaming the conflicting AD schema. Samba already has a mechanism to translates object classes and attribute types. It needs to be expanded to include all conflicting schema.
For example, the standard the person object class requires cn and sn. However, in AD schema the object class person only requires cn. With this solution the AD person will be renamed to samba4Person when stored in DS.
Samba4-schema-mapping.png#
For other AD attribute types and object classes that have identical/compatible definitions in the standard LDAP schema, Samba should just use the standard LDAP schema.
Schema Mapping#
DS Schema#
The following AD attributes are compatible with DS schema.
AD Attribute |
DS Attribute |
|---|---|
name |
name |
objectClasses |
objectClasses |
createTimeStamp |
createTimeStamp |
attributeTypes |
attributeTypes |
objectClass |
objectClass |
userPassword |
userPassword |
seeAlso |
seeAlso |
modifyTimeStamp |
modifyTimeStamp |
distinguishedName |
distinguishedName |
description |
description |
cn |
cn |
dITContentRules |
dITContentRules |
top |
top |
homePostalAddress |
homePostalAddress |
info |
info |
displayName |
displayName |
employeeName |
employeeName |
employeeType |
employeeType |
personalTitle |
personalTitle |
co |
co |
unixHomeDirectory |
homeDirectory |
userSMIMECertificate |
userSMIMECertificate |
Samba 3 Schema#
The following AD attributes are compatible with Samba 3 schema.
AD Attribute |
Samba 3 Attribute |
|---|---|
pwdLastSet |
sambaPwdLastSet |
lastLogon |
sambaLogonTime |
lastLogoff |
sambaLogoffTime |
badPwdCount |
sambaBadPasswordCount |
logonHours |
sambaLogonHours |
homeDrive |
sambaHomeDrive |
scriptPath |
sambaLogonScript |
profilePath |
sambaProfilePath |
userWorkstations |
sambaUserWorkstations |
homeDirectory |
sambaHomePath |
groupType |
sambaGroupType |
nextRid |
sambaNextRid |
privilegeDisplayName |
sambaPrivName |
Conflicting Attribute Types#
The following AD attributes are incompatible with DS attributes. The solution is to rename the attributes and/or change the OID’s.
AD Attribute |
DS Attribute |
Solution |
|---|---|---|
fRSDirectoryFilter OID: 1. 2.840.113556.1.4.484 |
calOtherCAPURIs (60rfc2739.ldif) OID: 1. 2.840.113556.1.4.484 |
fRSDirectoryFilter OID: fR SDirectoryFilter-oid |
fRSFileFilter OID: 1. 2.840.113556.1.4.483 |
calOtherFBURLs (60rfc2739.ldif) OID: 1. 2.840.113556.1.4.483 |
fRSFileFilter OID: fRSFileFilter-oid |
fRSUpdateTimeout OID: 1. 2.840.113556.1.4.485 |
calOtherCalAdrURIs (60rfc2739.ldif) OID: 1. 2.840.113556.1.4.485 |
fRSUpdateTimeout OID: fRSUpdateTimeout-oid |
thumbnailLogo OID: 2.16 .840.1.113730.3.1.36 |
nsLicensedFor (02common.ldif) OID: 2.16 .840.1.113730.3.1.36 |
thumbnailLogo OID: thumbnailLogo-oid |
thumbnailPhoto OID: 2.16 .840.1.113730.3.1.35 |
changeLog (02common.ldif) OID: 2.16 .840.1.113730.3.1.35 |
thumbnailPhoto OID: thumbnailPhoto-oid |
schemaUpdate OID: 1. 2.840.113556.1.4.481 |
calCalAdrURI (60rfc2739.ldif) OID: 1. 2.840.113556.1.4.481 |
schemaUpdate OID: schemaUpdate-oid |
Conflicting Object Classes#
The following AD object classes are incompatible with DS object classes. The solution is to rename the object class and/or change the OID’s.
AD Object Class |
DS Object Class |
Solution |
|---|---|---|
domain |
domain (05rfc4524.ldif) |
samba4Domain |
rFC822LocalPart OID: 0.9.23 42.19200300.100.4.14 |
rFC822localPart (05rfc4524.ldif) OID: 0.9.23 42.19200300.100.4.14 |
s amba4RFC822LocalPart OID: samba 4RFC822LocalPart-oid |
mailRecipient |
mailRecipient (50ns-mail.ldif) |
samba4MailRecipient |
nisMap |
nisMap (10rfc2307.ldif) |
samba4NisMap |
person OID: 2.5.6.6 |
person (00core.ldif) OID: 2.5.6.6 |
samba4Person OID: samba4Person-oid |
residentialPerson OID: 2.5.6.7 |
residentialPerson (00core.ldif) OID: 2.5.6.7 |
sam ba4ResidentialPerson OID: samba4R esidentialPerson-oid |
organizationalPerson OID: 2.5.6.7 |
organizationalPerson (00core.ldif) OID: 2.5.6.7 |
samba4 OrganizationalPerson OID: samba4Orga nizationalPerson-oid |
inetOrgPerson OID: 2.1 6.840.1.113730.3.2.2 |
inetOrgPerson (0 6inetorgperson.ldif) OID: 2.1 6.840.1.113730.3.2.2 |
samba4InetOrgPerson OID: sam ba4InetOrgPerson-oid |
Current Code#
Schema Conversion#
Some of the schema conversions are already configured at source4/setup/schema-map-fedora-ds-1.0. The file uses the following format:
# Skip attribute/object class
<attribute/object class>
...
# Rename OID/attribute/object class
<old OID/attribute/object class>:<new OID/attribute/object class>
...
The conversion code is located in source4/dsdb/schema/schema_convert_to_ol.c:
char *dsdb_convert_schema_to_openldap(struct ldb_context *ldb,
char *target_str, const char *mappings)
{
}
Current the code doesn’t map the object class parent.
Mapping Module#
The mapping module is located at source4/dsdb/samdb/ldb_modules/simple_ldap_map.c. It maintains a separate mapping configuration:
Local Name |
Remote Name |
Convert Local |
Convert Remote |
|---|---|---|---|
objectGUID |
nsuniqueid |
guid_ns_string |
encode_ns_guid |
objectSid |
objectSid |
sid _always_binary |
val_copy |
whenCreated |
c reateTimestamp |
||
whenChanged |
m odifyTimestamp |
||
objectCategory |
objectCategory |
objectCate gory_always_dn |
val_copy |
dis tinguishedName |
entryDN |
||
primaryGroupID |
primaryGroupID |
normali se_to_signed32 |
val_copy |
groupType |
groupType |
normali se_to_signed32 |
val_copy |
user AccountControl |
user AccountControl |
normali se_to_signed32 |
val_copy |
sAMAccountType |
sAMAccountType |
normali se_to_signed32 |
val_copy |
systemFlags |
systemFlags |
normali se_to_signed32 |
val_copy |
usnChanged |
m odifyTimestamp |
us n_to_timestamp |
ti mestamp_to_usn |
usnCreated |
c reateTimestamp |
us n_to_timestamp |
ti mestamp_to_usn |
The attribute mapping is stored in the following structure:
static const struct ldb_map_attribute nsuniqueid_attributes[] =
{
{
.local_name = "...",
.type = MAP_CONVERT | MAP_RENAME | MAP_KEEP,
.u = {
.convert = {
.remote_name = "...",
.convert_local = ...,
.convert_remote = ...,
}
}
},
{
.local_name = NULL
}
};
Currently there is no object class mapping for DS.
The module is initialized in the following method:
static int nsuniqueid_init(struct ldb_module *module)
{
ldb_map_init(module, nsuniqueid_attributes, NULL,
nsuniqueid_wildcard_attributes, "extensibleObject", NULL);
return ldb_next_init(module);
}
Proposed Changes#
Adding Samba 3 Schema#
Samba 3 schema and its dependencies have to be included during DS instance creation. The following lines should be added into source4/setup/fedorads.inf:
SchemaFile=/etc/dirsrv/schema/10rfc2307.ldif
SchemaFile=/etc/dirsrv/schema/05rfc4523.ldif
SchemaFile=/etc/dirsrv/schema/05rfc4524.ldif
SchemaFile=/etc/dirsrv/schema/06inetorgperson.ldif
SchemaFile=/usr/share/dirsrv/data/60samba3.ldif
Schema Conversion#
The following schema conversion should be added:
#Standard FDS attributes
homePostalAddress
info
displayName
employeeNumber
employeeType
personalTitle
co
userSMIMECertificate
#Remap into existing schema
unixHomeDirectory
unixHomeDirectory:homeDirectory
pwdLastSet
pwdLastSet:sambaPwdLastSet
lastLogon
lastLogon:sambaLogonTime
lastLogoff
lastLogoff:sambaLogoffTime
badPwdCount
badPwdCount:sambaBadPasswordCount
logonHours
logonHours:sambaLogonHours
homeDrive
homeDrive:sambaHomeDrive
scriptPath
scriptPath:sambaLogonScript
profilePath
profilePath:sambaProfilePath
userWorkstations
userWorkstations:sambaUserWorkstations
homeDirectory
homeDirectory:sambaHomePath
groupType
groupType:sambaGroupType
nextRid
nextRid:sambaNextRid
privilegeDisplayName
privilegeDisplayName:sambaPrivName
#Resolve conflicting attributes
1.2.840.113556.1.4.484:fRSDirectoryFilter-oid
1.2.840.113556.1.4.483:fRSFileFilter-oid
1.2.840.113556.1.4.485:fRSUpdateTimeout-oid
2.16.840.1.113730.3.1.36:thumbnailLogo-oid
2.16.840.1.113730.3.1.35:thumbnailPhoto-oid
1.2.840.113556.1.4.481:schemaUpdate-oid
#Resolve conflicting object classes
domain:samba4Domain
rFC822LocalPart:samba4RFC822LocalPart
mailRecipient:samba4MailRecipient
nisMap:samba4NisMap
0.9.2342.19200300.100.4.14:samba4RFC822LocalPart-oid
person:samba4Person
2.5.6.6:samba4Person-oid
organizationalPerson:samba4OrganizationalPerson
2.5.6.7:samba4OrganizationalPerson-oid
residentialPerson:samba4ResidentialPerson
2.5.6.10:samba4ResidentialPerson-oid
inetOrgPerson:samba4InetOrgPerson
2.16.840.1.113730.3.2.2:samba4InetOrgPerson-oid
The conversion code should be modified map the object class parent:
static char *print_schema_recursive(
char *append_to_string, struct dsdb_schema *schema, const char *print_class,
enum dsdb_schema_convert_target target,
const char **attrs_skip, const struct attr_map *attr_map, const struct oid_map *oid_map)
{
for (j=0; subClassOf && attr_map && attr_map[j].old_attr; j++) {
if (strcasecmp(subClassOf, attr_map[j].old_attr) == 0) {
subClassOf = attr_map[j].new_attr;
break;
}
}
}
Mapping Module#
The following attribute mapping should be modified:
Local Name |
Remote Name |
Convert Local |
Convert Remote |
|---|---|---|---|
groupType |
sambaGroupType |
normalise_to_signed32 |
val_copy |
The following attribute mapping should be added:
Local Name |
Remote Name |
Convert Local |
Convert Remote |
|---|---|---|---|
unixHomeDirectory |
homeDirectory |
||
pwdLastSet |
sambaPwdLastSet |
||
lastLogon |
sambaLogonTime |
||
lastLogoff |
sambaLogoffTime |
||
badPwdCount |
sambaBadPasswordCount |
||
logonHours |
sambaLogonHours |
||
homeDrive |
sambaHomeDrive |
||
scriptPath |
sambaLogonScript |
||
profilePath |
sambaProfilePath |
||
userWorkstations |
sambaUserWorkstations |
||
homeDirectory |
sambaHomePath |
||
nextRid |
sambaNextRid |
||
privilegeDisplayName |
sambaPrivName |
The following object class mapping should be added:
Local Name |
Remote Name |
|---|---|
domain |
samba4Domain |
rFC822LocalPart |
samba4RFC822LocalPart |
mailRecipient |
samba4MailRecipient |
nisMap |
samba4NisMap |
person |
samba4Person |
organizationalPerson |
samba4OrganizationalPerson |
residentialPerson |
samba4ResidentialPerson |
inetOrgPerson |
samba4InetOrgPerson |
The object class mapping should stored in the following structure:
const struct ldb_map_objectclass nsuniqueid_objectclasses[] =
{
{
.local_name = "...",
.remote_name = "..."
},
{
.local_name = NULL
}
};
The module initialization should be changed to use the object class mapping:
static int nsuniqueid_init(struct ldb_module *module)
{
ldb_map_init(module, nsuniqueid_attributes, nsuniqueid_objectclasses,
nsuniqueid_wildcard_attributes, "extensibleObject", NULL);
return ldb_next_init(module);
}
Patches#
The following patch has been applied to the source repository: