samba - Jul 2020 - Migrate mail aliases to AD ypServ30

Mon, 20 Jul 2020 11:56:57 +0100 Rowland penny via samba <samba at
lists.samba.org>:
> On 20/07/2020 11:11, RhineDevil via samba wrote:
> > How could I migrate these fields to
CN=aliases,CN=mail,CN=ypServ30,CN=RpcServices,CN=System,DC=local?
> >
> > dn: cn=abuse,ou=Aliases,DC=mydomail,DC=local
> > cn: abuse
> > objectClass: nisMailAlias
> > objectClass: top
> > rfc822MailMember: root
> >
> > dn: cn=noc,ou=Aliases,DC=mydomail,DC=local
> > cn: noc
> > objectClass: nisMailAlias
> > objectClass: top
> > rfc822MailMember: root
> >
> > dn: cn=security,ou=Aliases,DC=mydomail,DC=local
> > cn: security
> > objectClass: nisMailAlias
> > objectClass: top
> > rfc822MailMember: root
> 
> First you will need the rfc822-MailMember.schema and then run that 
> through oLschema2ldif to produce an ldif to add to AD.
> 
> Doing the above, should produce something like this:
> 
> dn: CN=rfc822MailMember,CN=Schema,CN=Configuration,dc=local
> objectClass: top
> objectClass: attributeSchema
> attributeID: 1.3.6.1.4.1.42.2.27.2.1.15
> schemaIdGuid:: aB7do9Dx3LkCSVgvixllpg=> cn: rfc822MailMember
> name: rfc822MailMember
> lDAPDisplayName: rfc822MailMember
> description: rfc822 mail address of group member(s)
> attributeSyntax: 2.5.5.5
> oMSyntax: 22
> isSingleValued: FALSE
> 
> dn: CN=nisMailAlias,CN=Schema,CN=Configuration,dc=local
> objectClass: top
> objectClass: classSchema
> governsID: 1.3.6.1.4.1.42.2.27.1.2.5
> schemaIdGuid:: gMnYtZqCPTLAMXe3RZus8A=> cn: nisMailAlias
> name: nisMailAlias
> lDAPDisplayName: nisMailAlias
> subClassOf: top
> objectClassCategory: 1
> description: NIS mail alias
> mustContain: cn
> mayContain: rfc822MailMember
> defaultObjectCategory: CN=nisMailAlias,CN=Schema,CN=Configuration,dc=local
> 
> You will need to split that into two ldif's one containing the 
> objectclass, the other the attribute.
> 
> You can then add the two ldifs like this:
> 
> ldbadd -H path_to_sam_ldb attr.ldif --option="dsdb:schema update 
> allowed"=true
> ldbadd -H path_to_sam_ldb class.ldif --option="dsdb:schema update 
> allowed"=true
> 
> You could then add your ldif (modified to suit AD):
> 
> dn: 
> cn=abuse,cn=aliases,cn=mail,cn=ypServ30,cn=RpcServices,cn=System,dc=local
> cn: abuse
> objectClass: nisMailAlias
> objectClass: top
> rfc822MailMember: root
> 
> dn: cn=noc,cn=aliases,cn=mail,cn=ypServ30,cn=RpcServices,cn=System,dc=local
> cn: noc
> objectClass: nisMailAlias
> objectClass: top
> rfc822MailMember: root
> 
> dn: 
>
cn=security,cn=aliases,cn=mail,cn=ypServ30,cn=RpcServices,cn=System,dc=local
> cn: security
> objectClass: nisMailAlias
> objectClass: top
> rfc822MailMember: root
> 
> Whilst the above should work, I have never tried it. You should be aware 
> that extending the AD schema is a one way action, you can never remove it.
> 
> If you do extend your schema, you do this at your own risk, do not blame 
> me if it goes wrong.
> 
> Rowland
> 
Wait but
Wouldn't make sense taking care of this through samba-tool? Like there's
--rfc-2037, --rfc822 could be added
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: Firma digitale OpenPGP
URL:
<http://lists.samba.org/pipermail/samba/attachments/20200720/1d2eb711/attachment.sig>

On 20/07/2020 17:52, RhineDevil wrote:
> Mon, 20 Jul 2020 11:56:57 +0100 Rowland penny via samba <samba at
lists.samba.org>:
>> On 20/07/2020 11:11, RhineDevil via samba wrote:
>>> How could I migrate these fields to
CN=aliases,CN=mail,CN=ypServ30,CN=RpcServices,CN=System,DC=local?
>>>
>>> dn: cn=abuse,ou=Aliases,DC=mydomail,DC=local
>>> cn: abuse
>>> objectClass: nisMailAlias
>>> objectClass: top
>>> rfc822MailMember: root
>>>
>>> dn: cn=noc,ou=Aliases,DC=mydomail,DC=local
>>> cn: noc
>>> objectClass: nisMailAlias
>>> objectClass: top
>>> rfc822MailMember: root
>>>
>>> dn: cn=security,ou=Aliases,DC=mydomail,DC=local
>>> cn: security
>>> objectClass: nisMailAlias
>>> objectClass: top
>>> rfc822MailMember: root
>> First you will need the rfc822-MailMember.schema and then run that
>> through oLschema2ldif to produce an ldif to add to AD.
>>
>> Doing the above, should produce something like this:
>>
>> dn: CN=rfc822MailMember,CN=Schema,CN=Configuration,dc=local
>> objectClass: top
>> objectClass: attributeSchema
>> attributeID: 1.3.6.1.4.1.42.2.27.2.1.15
>> schemaIdGuid:: aB7do9Dx3LkCSVgvixllpg=>> cn: rfc822MailMember
>> name: rfc822MailMember
>> lDAPDisplayName: rfc822MailMember
>> description: rfc822 mail address of group member(s)
>> attributeSyntax: 2.5.5.5
>> oMSyntax: 22
>> isSingleValued: FALSE
>>
>> dn: CN=nisMailAlias,CN=Schema,CN=Configuration,dc=local
>> objectClass: top
>> objectClass: classSchema
>> governsID: 1.3.6.1.4.1.42.2.27.1.2.5
>> schemaIdGuid:: gMnYtZqCPTLAMXe3RZus8A=>> cn: nisMailAlias
>> name: nisMailAlias
>> lDAPDisplayName: nisMailAlias
>> subClassOf: top
>> objectClassCategory: 1
>> description: NIS mail alias
>> mustContain: cn
>> mayContain: rfc822MailMember
>> defaultObjectCategory:
CN=nisMailAlias,CN=Schema,CN=Configuration,dc=local
>>
>> You will need to split that into two ldif's one containing the
>> objectclass, the other the attribute.
>>
>> You can then add the two ldifs like this:
>>
>> ldbadd -H path_to_sam_ldb attr.ldif --option="dsdb:schema update
>> allowed"=true
>> ldbadd -H path_to_sam_ldb class.ldif --option="dsdb:schema update
>> allowed"=true
>>
>> You could then add your ldif (modified to suit AD):
>>
>> dn:
>>
cn=abuse,cn=aliases,cn=mail,cn=ypServ30,cn=RpcServices,cn=System,dc=local
>> cn: abuse
>> objectClass: nisMailAlias
>> objectClass: top
>> rfc822MailMember: root
>>
>> dn:
cn=noc,cn=aliases,cn=mail,cn=ypServ30,cn=RpcServices,cn=System,dc=local
>> cn: noc
>> objectClass: nisMailAlias
>> objectClass: top
>> rfc822MailMember: root
>>
>> dn:
>>
cn=security,cn=aliases,cn=mail,cn=ypServ30,cn=RpcServices,cn=System,dc=local
>> cn: security
>> objectClass: nisMailAlias
>> objectClass: top
>> rfc822MailMember: root
>>
>> Whilst the above should work, I have never tried it. You should be
aware
>> that extending the AD schema is a one way action, you can never remove
it.
>>
>> If you do extend your schema, you do this at your own risk, do not
blame
>> me if it goes wrong.
>>
>> Rowland
>>
> Wait but
> Wouldn't make sense taking care of this through samba-tool? Like
there's --rfc-2037, --rfc822 could be added
No, it wouldn't, basically all that adding '--rfc-2307' to the
provision
command does, is to add the ypServ30 ldif to AD. This ldif is what 
Microsoft added if you installed IDMU. Adding the ldif makes Samba 
compatible with ADUC.

What you are adding is a corner case, so it would be a large amount of 
work to update samba-tool for a very few users, or perhaps only you. 
However, if you feel this should in samba-tool, patches are always 
welcome ;-)

Rowland

Mon, 20 Jul 2020 18:24:15 +0100 Rowland penny via samba <samba at
lists.samba.org>:
> On 20/07/2020 17:52, RhineDevil wrote:
> > Mon, 20 Jul 2020 11:56:57 +0100 Rowland penny via samba <samba at
lists.samba.org>:
> >> On 20/07/2020 11:11, RhineDevil via samba wrote:
> >>> How could I migrate these fields to
CN=aliases,CN=mail,CN=ypServ30,CN=RpcServices,CN=System,DC=local?
> >>>
> >>> dn: cn=abuse,ou=Aliases,DC=mydomail,DC=local
> >>> cn: abuse
> >>> objectClass: nisMailAlias
> >>> objectClass: top
> >>> rfc822MailMember: root
> >>>
> >>> dn: cn=noc,ou=Aliases,DC=mydomail,DC=local
> >>> cn: noc
> >>> objectClass: nisMailAlias
> >>> objectClass: top
> >>> rfc822MailMember: root
> >>>
> >>> dn: cn=security,ou=Aliases,DC=mydomail,DC=local
> >>> cn: security
> >>> objectClass: nisMailAlias
> >>> objectClass: top
> >>> rfc822MailMember: root
> >> First you will need the rfc822-MailMember.schema and then run that
> >> through oLschema2ldif to produce an ldif to add to AD.
> >>
> >> Doing the above, should produce something like this:
> >>
> >> dn: CN=rfc822MailMember,CN=Schema,CN=Configuration,dc=local
> >> objectClass: top
> >> objectClass: attributeSchema
> >> attributeID: 1.3.6.1.4.1.42.2.27.2.1.15
> >> schemaIdGuid:: aB7do9Dx3LkCSVgvixllpg=> >> cn:
rfc822MailMember
> >> name: rfc822MailMember
> >> lDAPDisplayName: rfc822MailMember
> >> description: rfc822 mail address of group member(s)
> >> attributeSyntax: 2.5.5.5
> >> oMSyntax: 22
> >> isSingleValued: FALSE
> >>
> >> dn: CN=nisMailAlias,CN=Schema,CN=Configuration,dc=local
> >> objectClass: top
> >> objectClass: classSchema
> >> governsID: 1.3.6.1.4.1.42.2.27.1.2.5
> >> schemaIdGuid:: gMnYtZqCPTLAMXe3RZus8A=> >> cn:
nisMailAlias
> >> name: nisMailAlias
> >> lDAPDisplayName: nisMailAlias
> >> subClassOf: top
> >> objectClassCategory: 1
> >> description: NIS mail alias
> >> mustContain: cn
> >> mayContain: rfc822MailMember
> >> defaultObjectCategory:
CN=nisMailAlias,CN=Schema,CN=Configuration,dc=local
> >>
> >> You will need to split that into two ldif's one containing the
> >> objectclass, the other the attribute.
> >>
> >> You can then add the two ldifs like this:
> >>
> >> ldbadd -H path_to_sam_ldb attr.ldif --option="dsdb:schema
update
> >> allowed"=true
> >> ldbadd -H path_to_sam_ldb class.ldif --option="dsdb:schema
update
> >> allowed"=true
> >>
> >> You could then add your ldif (modified to suit AD):
> >>
> >> dn:
> >>
cn=abuse,cn=aliases,cn=mail,cn=ypServ30,cn=RpcServices,cn=System,dc=local
> >> cn: abuse
> >> objectClass: nisMailAlias
> >> objectClass: top
> >> rfc822MailMember: root
> >>
> >> dn:
cn=noc,cn=aliases,cn=mail,cn=ypServ30,cn=RpcServices,cn=System,dc=local
> >> cn: noc
> >> objectClass: nisMailAlias
> >> objectClass: top
> >> rfc822MailMember: root
> >>
> >> dn:
> >>
cn=security,cn=aliases,cn=mail,cn=ypServ30,cn=RpcServices,cn=System,dc=local
> >> cn: security
> >> objectClass: nisMailAlias
> >> objectClass: top
> >> rfc822MailMember: root
> >>
> >> Whilst the above should work, I have never tried it. You should be
aware
> >> that extending the AD schema is a one way action, you can never
remove it.
> >>
> >> If you do extend your schema, you do this at your own risk, do not
blame
> >> me if it goes wrong.
> >>
> >> Rowland
> >>
> > Wait but
> > Wouldn't make sense taking care of this through samba-tool? Like
there's --rfc-2037, --rfc822 could be added
> 
> No, it wouldn't, basically all that adding '--rfc-2307' to the
provision
> command does, is to add the ypServ30 ldif to AD. This ldif is what 
> Microsoft added if you installed IDMU. Adding the ldif makes Samba 
> compatible with ADUC.
> 
> What you are adding is a corner case, so it would be a large amount of 
> work to update samba-tool for a very few users, or perhaps only you. 
> However, if you feel this should in samba-tool, patches are always 
> welcome ;-)
> 
> Rowland
> 
My idea would be more like adding full NIS support with an option (this is
normally achieved by using misc.schema (misc.ldif in new database-like
configuration) in OpenLDAP) but if you feel this is a corner case I won't be
pushy and I'll try to achieve this in the distros I collaborate with in
another way
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: Firma digitale OpenPGP
URL:
<http://lists.samba.org/pipermail/samba/attachments/20200720/e4cc4cc2/attachment.sig>