Extending the Active Directory and/or Native LDAP Schemas

Table of Contents

   1.  AD Schema
   2.  Native LDAP Schema
   3.  RFC4512 standard descriptions of these AD and native LDAP schema
       extensions

1.  AD Schema

   With Windows Server 2003 SP2 or above, the attribute _uid_ can be
   used to store UNIX username.  Similarly, the attribute _gid_ can be
   used to store UNIX groupname.

   For older Windows servers either

   1.  Load SFU (Microsoft's Services for UNIX) schema and use attribute
       _msSFU30Name_ OR

   2.  Use another existing attribute OR

   3.  Add a new attribute with syntax "Unicode String (OID: 2.5.5.3)"
       to the AD schema.

   The following shows an ldif file that can be used to load the new
   schema to AD using the Window's LDIFDE tool.

   You may use the OIDs provided below, but if you already have created
   attributes and classes that can serve the same purpose as these then
   there's no need to re-create them with the OIDs that Sun as
   allocated.

 dn: CN=unixUserName, CN=Schema, CN=Configuration, DC=example, DC=com
 changetype: add
 attributeID: 1.3.6.1.4.1.42.2.27.5.1.60
 attributeSyntax: 2.5.5.3
 isSingleValued: TRUE
 searchFlags: 1
 lDAPDisplayName: unixUserName
 adminDescription: This attribute contains the object's UNIX username
 objectClass: attributeSchema
 oMSyntax: 27

 dn: CN=unixGroupName, CN=Schema, CN=Configuration, DC=example, DC=com
 changetype: add
 attributeID: 1.3.6.1.4.1.42.2.27.5.1.61
 attributeSyntax: 2.5.5.3
 isSingleValued: TRUE
 searchFlags: 1
 lDAPDisplayName: unixGroupName
 adminDescription: This attribute contains the object's UNIX groupname
 objectClass: attributeSchema
 oMSyntax: 27

 dn:
 changetype: modify
 add: schemaUpdateNow
 schemaUpdateNow: 1
 -

 dn: CN=unixNameInfo, CN=Schema, CN=Configuration, DC=example, DC=com
 changetype: add
 governsID: 1.3.6.1.4.1.42.2.27.5.2.15
 lDAPDisplayName: unixNameInfo
 adminDescription: Auxiliary class to store UNIX name info in AD
 mayContain: unixUserName
 mayContain: unixGroupName
 objectClass: classSchema
 objectClassCategory: 3
 subClassOf: top

 C:\> ldifde -v -i -f ad_namemap_schema.ldif


2.  Native LDAP Schema

   Similarly for native LDAP based directory servers, an existing
   attribute can be used to store Windows account name.  If none found,
   a new attribute can be added to the server's schema as shown below.

   You may use the OIDs provided below, but if you already have created
   attributes and classes that can server the same purpose as these then
   there's no need to re-create them with the OIDs that Sun as
   allocated.

   The following shows how to add the above schema to the Directory
   server using ldapmodify(1M) command.

  $ cat nldap_namemap_schema.ldif
  dn: cn=schema
  changetype: modify
  add: attributeTypes
  attributeTypes: ( 1.3.6.1.4.1.42.2.27.5.1.62
   NAME 'winAccountName'
   DESC 'Windows user or group name corresponding to a Unix user or group'
   EQUALITY caseIgnoreMatch
   SUBSTRINGS caseIgnoreSubstringsMatch
   ORDERING caseIgnoreOrderingMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
  -
  add: objectClasses
  objectClasses: ( 1.3.6.1.4.1.42.2.27.5.2.16
   NAME 'winAccount'
   DESC 'Auxiliary class to store Windows name mappings in Unix user/group objects'
   SUP top
   AUXILIARY
   MAY winAccountName )

  $ ldapmodify -D cn=admin -w - -f nldap_namemap_schema.ldif
  Enter bind password:
  modifying entry cn=schema

  $


3.  RFC4512 standard descriptions of these AD and native LDAP schema extensions

   ( 1.3.6.1.4.1.42.2.27.5.1.60
	NAME 'unixUserName'
	DESC 'Name of Unix user that corresponds to a Windows user or group'
	EQUALITY caseExactMatch
	ORDERING caseExactOrderingMatch
	SUBSTRINGS caseExactSubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

   ( 1.3.6.1.4.1.42.2.27.5.1.61
	NAME 'unixGroupName'
	DESC 'Name of Unix group that corresponds to a Windows user or group'
	EQUALITY caseExactMatch
	ORDERING caseExactOrderingMatch
	SUBSTRINGS
	caseExactSubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

   ( 1.3.6.1.4.1.42.2.27.5.2.15
	NAME 'unixNameInfo'
	DESC 'Auxiliary class to store Unix User and Group names corresponding to Windows Users and Groups'
	SUP top
	AUXILIARY
	MAY ( unixUserName $ unixGroupName ) )

   ( 1.3.6.1.4.1.42.2.27.5.1.62
	NAME 'winAccountName'
	DESC 'Windows user or group name corresponding to a Unix user or group'
	EQUALITY caseIgnoreMatch
	SUBSTRINGS caseIgnoreSubstringsMatch
	ORDERING caseIgnoreOrderingMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)

   ( 1.3.6.1.4.1.42.2.27.5.2.16
	NAME 'winAccount'
	DESC 'Auxiliary class to store Windows name mappings in Unix user/group objects'
	SUP top
	AUXILIARY
	MAY winAccountName)