Extending the Schema

1.  AD Schema

   With Windows Server 2003 SP2 or above, the attribute _uid_ can be
   used to store UNIX username.  Similarly, the attribute _gid_ can be
   used to store UNIX groupname.

   For older Windows servers either

   1.  Load SFU (Microsoft's Services for UNIX) schema and use attribute
       _msSFU30Name_ OR

   2.  Use another existing attribute OR

   3.  Add a new attribute with syntax "Unicode String (OID: 2.5.5.12)"
       to the AD schema.  See [extend-ad-schema].

   The following shows an ldif file that can be used to load the new
   schema to AD using the Window's LDIFDE tool.  The OIDs
   "1.2.3.4.5.6.7" and "1.2.3.4.5.6.8" must be replaced by appropriate
   values based on the site's OID namespace.

 dn: CN=unixAccountName, CN=Schema, CN=Configuration, DC=example, DC=com
 changetype: add
 attributeID: 1.2.3.4.5.6.7
 attributeSyntax: 2.5.5.12
 isSingleValued: TRUE
 searchFlags: 1
 lDAPDisplayName: unixAccountName
 adminDescription: This attribute contains the object's UNIX name
 objectClass: attributeSchema
 oMSyntax: 64

 dn:
 changetype: modify
 add: schemaUpdateNow
 schemaUpdateNow: 1
 -

 dn: CN=unixAccount, CN=Schema, CN=Configuration, DC=example, DC=com
 changetype: add
 governsID: 1.2.3.4.5.6.8
 lDAPDisplayName: unixAccount
 adminDescription: Auxiliary class to store UNIX Account info in AD
 mustContain: unixAccountName
 objectClass: classSchema
 objectClassCategory: 3
 subClassOf: top

 C:\> ldifde -v -i -f ad_namemap_schema.ldif


2.  Native LDAP Schema

   Similarly for native LDAP based directory servers, an existing
   attribute can be used to store Windows account name.  If none found,
   a new attribute can be added to the server's schema as shown below.
   In the following example, the OIDs 1.2.3.4.5.6.7 and 1.2.3.4.5.6.8
   must be replaced by appropriate values based on the site's OID
   namespace.  See [extend-ldap-schema].

   ( 1.2.3.4.5.6.7
           NAME 'winAccountName'
           DESC 'Windows Account Name'
           EQUALITY caseIgnoreMatch
           SUBSTRINGS caseIgnoreSubstringsMatch
           SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
   )

   ( 1.2.3.4.5.6.8
           NAME 'winAccount' SUP top AUXILIARY
           DESC 'Auxiliary class to store Windows Account
                 information in POSIX entries'
           MUST winAccountName
   )

   The following shows how to add the above schema to the Directory
   server using ldapmodify(1M) command.

  $ cat nldap_namemap_schema.ldif
  dn: cn=schema
  changetype: modify
  add: attributeTypes
  attributeTypes: (1.2.3.4.5.6.7
   NAME 'winAccountName'
   DESC 'Windows Account Name'
   EQUALITY caseIgnoreMatch
   SUBSTRINGS caseIgnoreSubstringsMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
  -
  add: objectClasses
  objectClasses: ( 1.2.3.4.5.6.8
   NAME 'winAccount'
   SUP top
   AUXILIARY
   DESC 'Auxiliary class to store Windows Account info in POSIX entries'
   MUST winAccountName )

  $ ldapmodify -D cn=admin -w - -f nldap_namemap_schema.ldif
  Enter bind password:
  modifying entry cn=schema

  $