Carlos Ramos Gómez
2010-Feb-27 00:57 UTC
[Samba] ldapsam:editposix with inetOrgPerson objectClass for users
Hello list, have a samba 3.4.3 as domain controller with openldap as backend, using ldapsam:trusted = Yes and ldapsam:editposix = Yes and everything works like a charm. Now i would like to use this ldap for storing more information about my users; full name, phone, address and maybe even a picture. InetOrgPerson is the objectClass i would like to use since it's standard and has all i need and more. Samba use the account objectClass as structural class for user and computer accounts, and since inetOrgPerson and account are both structural openldap won't let me have both in the same entry. I've been checking the code and it looks like the creation of the users with account as objectClass is hardcoded in samba so i guess there is no parameter in the configuration file which allows me to override this behavior. I also tried to modify my schema making inetOrgPerson the parent class of the account class but it turns out that sn is a required attribute in inetOrgPerson and samba obviously doesn't add this parameter so the user creation fails. The other options i see here would require heavy modifications to the ldap schema or modify the samba itself to create user accounts as inetOrgPerson and add an sn attribute in the process. So before taking any of those options i just wanted to make sure that there is not an easier one i have not seen. Any ideas are welcome. Thanks a lot.
Volker Lendecke
2010-Feb-27 09:22 UTC
[Samba] ldapsam:editposix with inetOrgPerson objectClass for users
On Fri, Feb 26, 2010 at 06:57:01PM -0600, Carlos Ramos G?mez wrote:> Hello list, have a samba 3.4.3 as domain controller with openldap as > backend, using ldapsam:trusted = Yes and ldapsam:editposix = Yes and > everything works like a charm. Now i would like to use this ldap for > storing more information about my users; full name, phone, address and > maybe even a picture. InetOrgPerson is the objectClass i would like to > use since it's standard and has all i need and more. Samba use the > account objectClass as structural class for user and computer > accounts, and since inetOrgPerson and account are both structural > openldap won't let me have both in the same entry. I've been checking > the code and it looks like the creation of the users with account as > objectClass is hardcoded in samba so i guess there is no parameter in > the configuration file which allows me to override this behavior. I > also tried to modify my schema making inetOrgPerson the parent class > of the account class but it turns out that sn is a required attribute > in inetOrgPerson and samba obviously doesn't add this parameter so the > user creation fails. The other options i see here would require heavy > modifications to the ldap schema or modify the samba itself to create > user accounts as inetOrgPerson and add an sn attribute in the process. > So before taking any of those options i just wanted to make sure that > there is not an easier one i have not seen. Any ideas are welcome.The best here would be to remove the ldapsam:editposix and do it with scripts of your own. ldapsam:editposix was made for simple configuration of a very specific DIT layout. If you need it to be different, please look at scripts. Volker
Apparently Analagous Threads
- [OT] Adding InetOrgPerson schema when using ldapsam:editposix module
- Segmentation Fault when trying to set root samba password, IPA as a backend
- confusion about using samba as NT4 PDC with ldapsam backend
- Ldapsam Editposix & idmap help required
- question concerning ldapsam:editposix and winbind