Jump to: navigation, search

Obsolete:Samba 4 Schema Mapping

Obsolete Documentation

Please note that this content was marked as obsolete. We left the content here for study and archaeological purposes.

Please check our Documentation for a recent list of topics.

Overview

Some of the attribute types and object classes in Active Directory schema are incompatible with the standard LDAP schema. When Samba is running by itself on DS it only includes the core standard LDAP schema so there is no issue. However, when integrated with IPA this becomes a problem because IPA uses the full standard LDAP schema so there are some conflicts.

This problem can be solved by renaming the conflicting AD schema. Samba already has a mechanism to translates object classes and attribute types. It needs to be expanded to include all conflicting schema.

For example, the standard the person object class requires cn and sn. However, in AD schema the object class person only requires cn. With this solution the AD person will be renamed to samba4Person when stored in DS.

Samba4-schema-mapping.png

For other AD attribute types and object classes that have identical/compatible definitions in the standard LDAP schema, Samba should just use the standard LDAP schema.

Schema Mapping

DS Schema

The following AD attributes are compatible with DS schema.

AD Attribute DS Attribute
name name
objectClasses objectClasses
createTimeStamp createTimeStamp
attributeTypes attributeTypes
objectClass objectClass
userPassword userPassword
seeAlso seeAlso
modifyTimeStamp modifyTimeStamp
distinguishedName distinguishedName
description description
cn cn
dITContentRules dITContentRules
top top
homePostalAddress homePostalAddress
info info
displayName displayName
employeeName employeeName
employeeType employeeType
personalTitle personalTitle
co co
unixHomeDirectory homeDirectory
userSMIMECertificate userSMIMECertificate

Samba 3 Schema

The following AD attributes are compatible with Samba 3 schema.

AD Attribute Samba 3 Attribute
pwdLastSet sambaPwdLastSet
lastLogon sambaLogonTime
lastLogoff sambaLogoffTime
badPwdCount sambaBadPasswordCount
logonHours sambaLogonHours
homeDrive sambaHomeDrive
scriptPath sambaLogonScript
profilePath sambaProfilePath
userWorkstations sambaUserWorkstations
homeDirectory sambaHomePath
groupType sambaGroupType
nextRid sambaNextRid
privilegeDisplayName sambaPrivName

Conflicting Attribute Types

The following AD attributes are incompatible with DS attributes. The solution is to rename the attributes and/or change the OID's.

AD Attribute DS Attribute Solution
fRSDirectoryFilter

OID: 1.2.840.113556.1.4.484

calOtherCAPURIs (60rfc2739.ldif)

OID: 1.2.840.113556.1.4.484

fRSDirectoryFilter

OID: fRSDirectoryFilter-oid

fRSFileFilter

OID: 1.2.840.113556.1.4.483

calOtherFBURLs (60rfc2739.ldif)

OID: 1.2.840.113556.1.4.483

fRSFileFilter

OID: fRSFileFilter-oid

fRSUpdateTimeout

OID: 1.2.840.113556.1.4.485

calOtherCalAdrURIs (60rfc2739.ldif)

OID: 1.2.840.113556.1.4.485

fRSUpdateTimeout

OID: fRSUpdateTimeout-oid

thumbnailLogo

OID: 2.16.840.1.113730.3.1.36

nsLicensedFor (02common.ldif)

OID: 2.16.840.1.113730.3.1.36

thumbnailLogo

OID: thumbnailLogo-oid

thumbnailPhoto

OID: 2.16.840.1.113730.3.1.35

changeLog (02common.ldif)

OID: 2.16.840.1.113730.3.1.35

thumbnailPhoto

OID: thumbnailPhoto-oid

schemaUpdate

OID: 1.2.840.113556.1.4.481

calCalAdrURI (60rfc2739.ldif)

OID: 1.2.840.113556.1.4.481

schemaUpdate

OID: schemaUpdate-oid

Conflicting Object Classes

The following AD object classes are incompatible with DS object classes. The solution is to rename the object class and/or change the OID's.

AD Object Class DS Object Class Solution
domain domain (05rfc4524.ldif) samba4Domain
rFC822LocalPart

OID: 0.9.2342.19200300.100.4.14

rFC822localPart (05rfc4524.ldif)

OID: 0.9.2342.19200300.100.4.14

samba4RFC822LocalPart

OID: samba4RFC822LocalPart-oid

mailRecipient mailRecipient (50ns-mail.ldif) samba4MailRecipient
nisMap nisMap (10rfc2307.ldif) samba4NisMap
person

OID: 2.5.6.6

person (00core.ldif)

OID: 2.5.6.6

samba4Person

OID: samba4Person-oid

residentialPerson

OID: 2.5.6.7

residentialPerson (00core.ldif)

OID: 2.5.6.7

samba4ResidentialPerson

OID: samba4ResidentialPerson-oid

organizationalPerson

OID: 2.5.6.7

organizationalPerson (00core.ldif)

OID: 2.5.6.7

samba4OrganizationalPerson

OID: samba4OrganizationalPerson-oid

inetOrgPerson

OID: 2.16.840.1.113730.3.2.2

inetOrgPerson (06inetorgperson.ldif)

OID: 2.16.840.1.113730.3.2.2

samba4InetOrgPerson

OID: samba4InetOrgPerson-oid

Current Code

Schema Conversion

Some of the schema conversions are already configured at source4/setup/schema-map-fedora-ds-1.0. The file uses the following format:

# Skip attribute/object class
<attribute/object class>
...
# Rename OID/attribute/object class
<old OID/attribute/object class>:<new OID/attribute/object class>
...

The conversion code is located in source4/dsdb/schema/schema_convert_to_ol.c:

char *dsdb_convert_schema_to_openldap(struct ldb_context *ldb,
    char *target_str, const char *mappings) 
{
}

Current the code doesn't map the object class parent.

Mapping Module

The mapping module is located at source4/dsdb/samdb/ldb_modules/simple_ldap_map.c. It maintains a separate mapping configuration:

Local Name Remote Name Convert Local Convert Remote
objectGUID nsuniqueid guid_ns_string encode_ns_guid
objectSid objectSid sid_always_binary val_copy
whenCreated createTimestamp
whenChanged modifyTimestamp
objectCategory objectCategory objectCategory_always_dn val_copy
distinguishedName entryDN
primaryGroupID primaryGroupID normalise_to_signed32 val_copy
groupType groupType normalise_to_signed32 val_copy
userAccountControl userAccountControl normalise_to_signed32 val_copy
sAMAccountType sAMAccountType normalise_to_signed32 val_copy
systemFlags systemFlags normalise_to_signed32 val_copy
usnChanged modifyTimestamp usn_to_timestamp timestamp_to_usn
usnCreated createTimestamp usn_to_timestamp timestamp_to_usn

The attribute mapping is stored in the following structure:

static const struct ldb_map_attribute nsuniqueid_attributes[] = 
{
    {
        .local_name = "...",
        .type = MAP_CONVERT | MAP_RENAME | MAP_KEEP,
        .u = {
            .convert = {
                .remote_name = "...",
                .convert_local = ...,
                .convert_remote = ...,
            }
        }
    },
    {
        .local_name = NULL
    }
};

Currently there is no object class mapping for DS.

The module is initialized in the following method:

static int nsuniqueid_init(struct ldb_module *module)
{
    ldb_map_init(module, nsuniqueid_attributes, NULL,
        nsuniqueid_wildcard_attributes, "extensibleObject", NULL);

    return ldb_next_init(module);
}

Proposed Changes

Adding Samba 3 Schema

Samba 3 schema and its dependencies have to be included during DS instance creation. The following lines should be added into source4/setup/fedorads.inf:

SchemaFile=/etc/dirsrv/schema/10rfc2307.ldif
SchemaFile=/etc/dirsrv/schema/05rfc4523.ldif
SchemaFile=/etc/dirsrv/schema/05rfc4524.ldif
SchemaFile=/etc/dirsrv/schema/06inetorgperson.ldif
SchemaFile=/usr/share/dirsrv/data/60samba3.ldif

Schema Conversion

The following schema conversion should be added:

#Standard FDS attributes
homePostalAddress
info
displayName
employeeNumber
employeeType
personalTitle
co
userSMIMECertificate

#Remap into existing schema
unixHomeDirectory
unixHomeDirectory:homeDirectory
pwdLastSet
pwdLastSet:sambaPwdLastSet
lastLogon
lastLogon:sambaLogonTime
lastLogoff
lastLogoff:sambaLogoffTime
badPwdCount
badPwdCount:sambaBadPasswordCount
logonHours
logonHours:sambaLogonHours
homeDrive
homeDrive:sambaHomeDrive
scriptPath
scriptPath:sambaLogonScript
profilePath
profilePath:sambaProfilePath
userWorkstations
userWorkstations:sambaUserWorkstations
homeDirectory
homeDirectory:sambaHomePath
groupType
groupType:sambaGroupType
nextRid
nextRid:sambaNextRid
privilegeDisplayName
privilegeDisplayName:sambaPrivName

#Resolve conflicting attributes
1.2.840.113556.1.4.484:fRSDirectoryFilter-oid
1.2.840.113556.1.4.483:fRSFileFilter-oid
1.2.840.113556.1.4.485:fRSUpdateTimeout-oid
2.16.840.1.113730.3.1.36:thumbnailLogo-oid
2.16.840.1.113730.3.1.35:thumbnailPhoto-oid
1.2.840.113556.1.4.481:schemaUpdate-oid

#Resolve conflicting object classes
domain:samba4Domain
rFC822LocalPart:samba4RFC822LocalPart
mailRecipient:samba4MailRecipient
nisMap:samba4NisMap
0.9.2342.19200300.100.4.14:samba4RFC822LocalPart-oid
person:samba4Person
2.5.6.6:samba4Person-oid
organizationalPerson:samba4OrganizationalPerson
2.5.6.7:samba4OrganizationalPerson-oid
residentialPerson:samba4ResidentialPerson
2.5.6.10:samba4ResidentialPerson-oid
inetOrgPerson:samba4InetOrgPerson
2.16.840.1.113730.3.2.2:samba4InetOrgPerson-oid

The conversion code should be modified map the object class parent:

static char *print_schema_recursive(
    char *append_to_string, struct dsdb_schema *schema, const char *print_class,
    enum dsdb_schema_convert_target target, 
    const char **attrs_skip, const struct attr_map *attr_map, const struct oid_map *oid_map) 
{
    for (j=0; subClassOf && attr_map && attr_map[j].old_attr; j++) {
        if (strcasecmp(subClassOf, attr_map[j].old_attr) == 0) {
            subClassOf =  attr_map[j].new_attr;
            break;
        }
    }
}

Mapping Module

The following attribute mapping should be modified:

Local Name Remote Name Convert Local Convert Remote
groupType sambaGroupType normalise_to_signed32 val_copy

The following attribute mapping should be added:

Local Name Remote Name Convert Local Convert Remote
unixHomeDirectory homeDirectory
pwdLastSet sambaPwdLastSet
lastLogon sambaLogonTime
lastLogoff sambaLogoffTime
badPwdCount sambaBadPasswordCount
logonHours sambaLogonHours
homeDrive sambaHomeDrive
scriptPath sambaLogonScript
profilePath sambaProfilePath
userWorkstations sambaUserWorkstations
homeDirectory sambaHomePath
nextRid sambaNextRid
privilegeDisplayName sambaPrivName

The following object class mapping should be added:

Local Name Remote Name
domain samba4Domain
rFC822LocalPart samba4RFC822LocalPart
mailRecipient samba4MailRecipient
nisMap samba4NisMap
person samba4Person
organizationalPerson samba4OrganizationalPerson
residentialPerson samba4ResidentialPerson
inetOrgPerson samba4InetOrgPerson

The object class mapping should stored in the following structure:

const struct ldb_map_objectclass nsuniqueid_objectclasses[] =
{
    {
        .local_name = "...",
        .remote_name = "..."
    },
    {
        .local_name = NULL
    }
};

The module initialization should be changed to use the object class mapping:

static int nsuniqueid_init(struct ldb_module *module)
{
    ldb_map_init(module, nsuniqueid_attributes, nsuniqueid_objectclasses,
        nsuniqueid_wildcard_attributes, "extensibleObject", NULL);

    return ldb_next_init(module);
}

Patches

The following patch has been applied to the source repository: