thr3ads.net - samba - [Samba] Novell EDirectory as LDAP backend [Feb 2003]

If this information is useful, please help other people find it:
Share via:

Rolf Offermanns

2003-Feb-17 12:20 UTC

[Samba] Novell EDirectory as LDAP backend

Hi,
is anybody out there who is using Novell Edir. with samba?

I have searched the archive and found some random notes but no real 
success story.

Here is what I have achived so far. Maybe someone can give me some hints.

I have tried the samba-nds.schema that comes with the 2.2.7a tar ball.
While I was able to import/add it to EDir. it did not work for me, 
because the "lmPassword" and "ntPassword" attributes had a
SyntaxID of
"SYN_INTEGER" which I think is wrong, because samba tries to store
some
hex.Strings in these attributes. After changing them to
"SYN_CI_STRING"
I was able to authenticate against edir.

The only thing that does not work is to ldapadd or ldif import users 
with objectClass sambaAccount.

Adding posixAccount users and then adding the sambaAccount objectClass 
via Novells "ConsoleOne" works, so I guess this is a edir. specific 
problem which is OT here.

So right now, I can manually add machine and user accounts, join (W2K) 
clients to the samba domain and log in as an user. Changing passwords 
works, too.

I have attached the modified schema file.

Can anyone give me a hint about adding users w/o using ConsoleOne?
Setting this up with openldap was no problem at all, btw, but I have to 
use edirectory, because my university wants it that way.

Any help is greatly appreceated,
-Rolf

Rolf Offermanns

2003-Feb-17 12:24 UTC

head link

[Samba] Novell EDirectory as LDAP backend

Forgot the attachment, sorry.

-------------- next part --------------
--
-- Submitted by Bruno Gimenes Pereti <pereti@ut mp dot edu dot br>
-- Modified by Rolf Offermanns <rolf.offermanns(at)gmx DOT net>
--
-- schema file for Novell's eDirectory 8.6/8.7
--

SambaAccountSchemaExtensions DEFINITIONS ::BEGIN

-- Password hashes
"lmPassword" ATTRIBUTE ::{
	Operation		ADD,
	SyntaxID		SYN_CI_STRING,
	Flags			{ DS_SINGLE_VALUED_ATTR },
	ASN1ObjID { 1 3 6 1 4 1 7165 2 1 1 }
}

"ntPassword" ATTRIBUTE ::{
	Operation		ADD,
	SyntaxID		SYN_CI_STRING,
	Flags			{ DS_SINGLE_VALUED_ATTR },
	ASN1ObjID { 1 3 6 1 4 1 7165 2 1 2 }
}

-- Account flags in string format ([UWDX     ])
"acctFlags" ATTRIBUTE ::{
	Operation		ADD,
	SyntaxID		SYN_CI_STRING,
	Flags			{ DS_SINGLE_VALUED_ATTR },
	ASN1ObjID { 1 3 6 1 4 1 7165 2 1 4 }
}

-- Password timestamps & policies
"pwdLastSet" ATTRIBUTE ::{
	Operation		ADD,
	SyntaxID		SYN_INTEGER,
	Flags			{ DS_SINGLE_VALUED_ATTR },
	ASN1ObjID { 1 3 6 1 4 1 7165 2 1 3 }
}

"logonTime" ATTRIBUTE ::{
	Operation		ADD,
	SyntaxID		SYN_INTEGER,
	Flags			{ DS_SINGLE_VALUED_ATTR },
	ASN1ObjID { 1 3 6 1 4 1 7165 2 1 5 }
}

"logoffTime" ATTRIBUTE ::{
	Operation		ADD,
	SyntaxID		SYN_INTEGER,
	Flags			{ DS_SINGLE_VALUED_ATTR },
	ASN1ObjID { 1 3 6 1 4 1 7165 2 1 6 }
}

"kickoffTime" ATTRIBUTE ::{
	Operation		ADD,
	SyntaxID		SYN_INTEGER,
	Flags			{ DS_SINGLE_VALUED_ATTR },
	ASN1ObjID { 1 3 6 1 4 1 7165 2 1 7 }
}

"pwdCanChange" ATTRIBUTE ::{
	Operation		ADD,
	SyntaxID		SYN_INTEGER,
	Flags			{ DS_SINGLE_VALUED_ATTR },
	ASN1ObjID { 1 3 6 1 4 1 7165 2 1 8 }
}

"pwdMustChange" ATTRIBUTE ::{
	Operation		ADD,
	SyntaxID		SYN_INTEGER,
	Flags			{ DS_SINGLE_VALUED_ATTR },
	ASN1ObjID { 1 3 6 1 4 1 7165 2 1 9 }
}

-- string settings
"homeDrive" ATTRIBUTE ::{
	Operation		ADD,
	SyntaxID		SYN_CI_STRING,
	Flags			{ DS_SINGLE_VALUED_ATTR },
	ASN1ObjID { 1 3 6 1 4 1 7165 2 1 10 }
}

"scriptPath" ATTRIBUTE ::{
	Operation		ADD,
	SyntaxID		SYN_CI_STRING,
	Flags			{ DS_SINGLE_VALUED_ATTR },
	ASN1ObjID { 1 3 5 1 4 1 7165 2 1 11 }
}

"profilePath" ATTRIBUTE ::{
	Operation		ADD,
	SyntaxID		SYN_CI_STRING,
	Flags			{ DS_SINGLE_VALUED_ATTR },
	ASN1ObjID { 1 3 6 1 4 1 7165 2 1 12 }
}

"userWorkstations" ATTRIBUTE ::{
	Operation		ADD,
	SyntaxID		SYN_CI_STRING,
	Flags			{ DS_SINGLE_VALUED_ATTR },
	ASN1ObjID { 1 3 6 1 4 1 7165 2 1 13 }
}

"smbHome" ATTRIBUTE ::{
	Operation		ADD,
	SyntaxID		SYN_CI_STRING,
	ASN1ObjID { 1 3 6 1 4 1 7165 2 1 17 }
}

"domain" ATTRIBUTE ::{
	Operation		ADD,
	SyntaxID		SYN_CI_STRING,
	ASN1ObjID { 1 3 6 1 4 1 7165 2 1 18 }
}

-- user and group RID
"rid" ATTRIBUTE ::{
	Operation		ADD,
	SyntaxID		SYN_INTEGER,
	Flags			{ DS_SINGLE_VALUED_ATTR },
	ASN1ObjID { 1 3 6 1 4 1 7165 2 1 14 }
}

"primaryGroupID" ATTRIBUTE ::{
	Operation		ADD,
	SyntaxID		SYN_INTEGER,
	Flags			{ DS_SINGLE_VALUED_ATTR },
	ASN1ObjID { 1 3 6 1 4 1 7165 2 1 15 }
}

"sambaAccount" OBJECT-CLASS ::{
	Operation		ADD,
	Flags			{DS_AUXILIARY_CLASS},
	SubClassOf		{"TOP"},
	MustContain		{	"uid"},
	MustContain		{	"rid"},
	MayContain		{	"CN"},
	MayContain		{	"lmPassword"},
	MayContain		{	"ntPassword"},
	MayContain		{	"pwdLastSet"},
	MayContain		{	"logonTime"},
	MayContain		{	"logoffTime"},
	MayContain		{	"kickoffTime"},
	MayContain		{	"pwdCanChange"},
	MayContain		{	"pwdMustChange"},
	MayContain		{	"acctFlags"},
	MayContain		{	"displayName"},
	MayContain		{	"smbHome"},
	MayContain		{	"homeDrive"},
	MayContain		{	"scriptPath"},
	MayContain		{	"profilePath"},
	MayContain		{	"description"},
	MayContain		{	"userWorkstations"},
	MayContain		{	"primaryGroupID"},
	MayContain		{	"domain"},
	ASN1ObjID { 1 3 6 1 4 1 7165 2 2 3 }
}

-- Used for Winbind experimentation
"uidPool" OBJECT-CLASS ::{
	Operation		ADD,
	Flags			{DS_AUXILIARY_CLASS},
	SubClassOf		{"TOP"},
	MustContain		{	"uidNumber"},
	MustContain		{	"CN"},
	ASN1ObjID { 1 3 6 1 4 1 7165 1 2 2 3 }
}

"gidPool" OBJECT-CLASS ::{
	Operation		ADD,
	Flags			{DS_AUXILIARY_CLASS},
	SubClassOf		{"TOP"},
	MustContain		{	"gidNumber"},
	MustContain		{	"CN"},
	ASN1ObjID { 1 3 6 1 4 1 7165 1 2 2 4 }
}

END

Bruno Gimenes Pereti

2003-Feb-17 14:55 UTC

head link

[Samba] Novell EDirectory as LDAP backend

Hi Rolf,

I spent a long time last year trying to use Edirectory with Samba but I
didn?t get it working. That file in the tar ball is a translation I did from
samba.schema to the sintaxe of the ndssch program that is installed with
Edir 8.6.2 for linux. The SyntaxID error is probably my mistake. I didn?t
get your file attached and I think you should send it to Jerry to update it
in the CVS tree.
I stopped working with that and now I?m using OpenLDAP but I remember that
the object "Account" was missing in the rfc2307-usergroup.sch that
comes
with the Edir for linux.

I suppose the user that you are using in the ldapclient and samba have the
right privilege to insert and alter information in you Edir. What is the
messages in you log file?

Bruno Gimenes Pereti.


----- Original Message -----
From: "Rolf Offermanns" <rolf.offermanns@gmx.net>
Subject: [Samba] Novell EDirectory as LDAP backend

> Hi,
> is anybody out there who is using Novell Edir. with samba?
>
> I have searched the archive and found some random notes but no real
> success story.
>
> Here is what I have achived so far. Maybe someone can give me some hints.
>
> I have tried the samba-nds.schema that comes with the 2.2.7a tar ball.
> While I was able to import/add it to EDir. it did not work for me,
> because the "lmPassword" and "ntPassword" attributes
had a SyntaxID of
> "SYN_INTEGER" which I think is wrong, because samba tries to
store some
> hex.Strings in these attributes. After changing them to
"SYN_CI_STRING"
> I was able to authenticate against edir.
>
> The only thing that does not work is to ldapadd or ldif import users
> with objectClass sambaAccount.
>
> Adding posixAccount users and then adding the sambaAccount objectClass
> via Novells "ConsoleOne" works, so I guess this is a edir.
specific
> problem which is OT here.
>
> So right now, I can manually add machine and user accounts, join (W2K)
> clients to the samba domain and log in as an user. Changing passwords
> works, too.
>
> I have attached the modified schema file.
>
> Can anyone give me a hint about adding users w/o using ConsoleOne?
> Setting this up with openldap was no problem at all, btw, but I have to
> use edirectory, because my university wants it that way.
>
> Any help is greatly appreceated,
> -Rolf

Stefan Voelkel

2003-Feb-20 14:02 UTC

head link

[Samba] Re: Novell EDirectory as LDAP backend

> Hi,
> is anybody out there who is using Novell Edir. with samba?
Yes, 8.6.3 on a RH 7.3 to be precise.
> I have searched the archive and found some random notes but no real 
> success story.
Works pretty good. I have not yet tried to integrate cups but user 
authentification (unix login) is done via pam_ldap, i just have some 
problems getting password syncronisation running, users can alt-ctrl-del 
an change their windows password, but I want to set the user unix 
password too.
> The only thing that does not work is to ldapadd or ldif import users 
> with objectClass sambaAccount.
sambaAccount is an auxiliary class, i think you do need a real object 
class (like user). Take a look with the Schema Manager (ConsoleOne) at 
the user class, and the needed attributes (IIRC there are 4).
> Adding posixAccount users and then adding the sambaAccount objectClass 
> via Novells "ConsoleOne" works, so I guess this is a edir.
specific
> problem which is OT here.
Check out the Novell News Servers, one is at:
	
	support-forums.novell.com

by
	Stefan

Apparently Analagous Threads

Search for more apparently analagous threads

samba - Feb 2003 - Novell EDirectory as LDAP backend

[Samba] Novell EDirectory as LDAP backend

[Samba] Novell EDirectory as LDAP backend

[Samba] Novell EDirectory as LDAP backend

[Samba] Re: Novell EDirectory as LDAP backend

Apparently Analagous Threads