Rowland Penny
2024-Mar-26 14:49 UTC
[Samba] core & cosine schema items in Samba AD DC user object?
On Tue, 26 Mar 2024 14:50:41 +0100 Franta Hanzl?k <franta at hanzlici.cz> wrote:> On Tue, 26 Mar 2024 08:01:27 +0000 > Rowland Penny via samba <samba at lists.samba.org> wrote: > > > On Tue, 26 Mar 2024 02:57:51 +0100 > > Franta Hanzl?k via samba <samba at lists.samba.org> wrote: > > > > > Please, it is possible (perhaps with some Samba schema > > > extension?) to have items as 'c' (countryName), 'l' > > > (localityName), 'l' (localityName), 'co' (friendlyCountryName), > > > 'street' (streetAddress), 'displayName' etc. in the description > > > of the USER object? > > > > It is very possible, because they are standard components of the AD > > schema: > > > > dn: CN=Country-Name,CN=Schema,CN=Configuration,DC=X > > lDAPDisplayName: c > > > > dn: CN=Locality-Name,CN=Schema,CN=Configuration,DC=X > > lDAPDisplayName: l > > > > dn: CN=Text-Country,CN=Schema,CN=Configuration,DC=X > > lDAPDisplayName: co > > > > dn: CN=Street-Address,CN=Schema,CN=Configuration,DC=X > > lDAPDisplayName: street > > > > dn: CN=Display-Name,CN=Schema,CN=Configuration,DC=X > > lDAPDisplayName: displayName > > Yeah, it is super! > My mistake was - before I was only looking in the > /etc/openldap/schema/samba.schema file, where these attributes are > not there. But now I can see them in the > /usr/share/samba/setup/ad-schema/AD_DS_Attributes__Windows_Server_2016.ldf > file (which is perhaps what the Samba uses as its schema). > > > > > > > And then how to manage them? The "samba-tool user add" doesn't > > > seem to have a corresponding switch... > > > > That would be up to you writing your own script to add them, unless > > you would care to update samba-tool to do this ;-) > > Maybe these attributes can be supplemented with some Windows tool > (RSAT/ ADUC), I haven't tried it yet. > > What I just tried - add these attributes to AD with ldbmodify and a > pre- prepared LDIF file (as: > > dn: CN=Pep?k,OU=dob??,OU=kamar?di,DC=ad,DC=hanzlici,DC=cz > changetype: modify > add: l > l: Plze? > > ) - and it works well, thus problem is solved. > > And another finding - adding a non-existent attribute such as > Locality-Name ( > > dn: CN=Pep?k,OU=dob??,OU=kamar?di,DC=ad,DC=hanzlici,DC=cz > changetype: modify > add: Locality-Name > Locality-Name: Plze? > > to the schema (I mistakenly thought that e.g. the 'l' attribute is an > external/LDAP alias for the internal "Locality-Name" attribute used > by Samba) will not fail, and the USER object will have both "l" and > "Locality-Name" attributes. Is it ok that I can add any nonsense > (attribute not in schema) to the object?I do not think you are quite understanding this, The 'DN': CN=Locality-Name,CN=Schema,CN=Configuration,DC=X Is what it is called in the AD schema. The actual attribute that you use is the 'lDAPDisplayName', in this case 'l' So you would use an ldif like this: dn: CN=Pep?k,OU=dob??,OU=kamar?di,DC=ad,DC=hanzlici,DC=cz changetype: modify add: l l: Plze? Rowland
Franta Hanzlík
2024-Mar-26 16:13 UTC
[Samba] core & cosine schema items in Samba AD DC user object?
On Tue, 26 Mar 2024 14:49:02 +0000 Rowland Penny via samba <samba at lists.samba.org> wrote:> On Tue, 26 Mar 2024 14:50:41 +0100 > Franta Hanzl?k <franta at hanzlici.cz> wrote: > > > On Tue, 26 Mar 2024 08:01:27 +0000 > > Rowland Penny via samba <samba at lists.samba.org> wrote: > > > > > On Tue, 26 Mar 2024 02:57:51 +0100 > > > Franta Hanzl?k via samba <samba at lists.samba.org> wrote: > > > > [...] > > > > > > It is very possible, because they are standard components of the AD > > > schema: > > > > > > dn: CN=Country-Name,CN=Schema,CN=Configuration,DC=X > > > lDAPDisplayName: c > > > > > > dn: CN=Locality-Name,CN=Schema,CN=Configuration,DC=X > > > lDAPDisplayName: l > > > > > > dn: CN=Text-Country,CN=Schema,CN=Configuration,DC=X > > > lDAPDisplayName: co > > > > > > dn: CN=Street-Address,CN=Schema,CN=Configuration,DC=X > > > lDAPDisplayName: street > > > > > > dn: CN=Display-Name,CN=Schema,CN=Configuration,DC=X > > > lDAPDisplayName: displayName > > > > Yeah, it is super! > > My mistake was - before I was only looking in the > > /etc/openldap/schema/samba.schema file, where these attributes are > > not there. But now I can see them in the > > /usr/share/samba/setup/ad-schema/AD_DS_Attributes__Windows_Server_2016.ldf > > file (which is perhaps what the Samba uses as its schema). > > > [...] > > > > > > That would be up to you writing your own script to add them, unless > > > you would care to update samba-tool to do this ;-) > > > > Maybe these attributes can be supplemented with some Windows tool > > (RSAT/ ADUC), I haven't tried it yet. > > > > What I just tried - add these attributes to AD with ldbmodify and a > > pre- prepared LDIF file (as: > > > > dn: CN=Pep?k,OU=dob??,OU=kamar?di,DC=ad,DC=hanzlici,DC=cz > > changetype: modify > > add: l > > l: Plze? > > > > ) - and it works well, thus problem is solved. > > > > And another finding - adding a non-existent attribute such as > > Locality-Name ( > > > > dn: CN=Pep?k,OU=dob??,OU=kamar?di,DC=ad,DC=hanzlici,DC=cz > > changetype: modify > > add: Locality-Name > > Locality-Name: Plze? > > > > to the schema (I mistakenly thought that e.g. the 'l' attribute is an > > external/LDAP alias for the internal "Locality-Name" attribute used > > by Samba) will not fail, and the USER object will have both "l" and > > "Locality-Name" attributes. Is it ok that I can add any nonsense > > (attribute not in schema) to the object? > > > I do not think you are quite understanding this, > > The 'DN': CN=Locality-Name,CN=Schema,CN=Configuration,DC=X > > Is what it is called in the AD schema. > > The actual attribute that you use is the 'lDAPDisplayName', in this > case 'l' > > So you would use an ldif like this: > > dn: CN=Pep?k,OU=dob??,OU=kamar?di,DC=ad,DC=hanzlici,DC=cz > changetype: modify > add: l > l: Plze? > > Rowland > > --Yes, that's how I understood it later. But what surprised me is that an object ("user" class in this case) can be assigned any imaginary attribute - I thought that the Samba AD schema strictly limits what objects and with what attributes can be in the AD. But maybe it only limits the types of objects, but not their attributes... (I'm keeping quiet now, I know very little about Samba and AD. Many thanks, Rowland, thanks to you this mailing list is so great) -- Franta Hanzlik Lu?n? 502 Linux/Unix/LAN/Internet Tel: +420-372-222302 33209 ?t?novice e-mail:franta at hanzlici.cz Fax: +420-372-222302 Czech Republic http://hanzlici.cz/ GSM: +420-604-117319 Tento mail neobsahuje viry, byl odesl?n z opera?n?ho syst?mu Linux