How to Extend the Native LDAP Schema, and User and Group Entries (Solaris CIFS Administration Guide)

Solaris CIFS Administration Guide

How to Extend the Native LDAP Schema, and User and Group Entries

This procedure shows how to extend the native LDAP schema and populate the user and group objects with the associated Windows names.

Note –

Perform this task before enabling directory-based mapping on your Solaris system.

(Optional) Extend the native LDAP schema to add the new Windows user and group attributes.

Note –
If you do not want to extend the native LDAP schema, you can use an existing native LDAP schema attribute to store Windows user and group name information. For instance, if you already have schema that is comparable to what is described in Example 2–3, you can use your attributes instead of creating new ones.
1. Create an LDAP Data Interchange Format (LDIF) file to describe the native LDAP schema changes.
  
  For sample LDIF file contents, see Example 2–3.
2. Use the ldapmodify tool to load the schema changes into native LDAP.
  $ ldapmodify -D cn=admin -w p -f input-file

Use the ldapmodify command to populate the native LDAP user and group objects with the new attributes and their values.

You can use the idmap set-namemap command to populate user and group objects. See How to Add a Directory-Based Name Mapping to a User Object and How to Add a Directory-Based Name Mapping to a Group Object.
1. Create an LDIF file to record the updates to the native LDAP user and group objects.
  
  See a sample LDIF file in Example 2–4. For more information about the LDIF file format, see RFC 2849.
2. Use the ldapmodify command to update the user objects on the native LDAP server.
  $ ldapmodify -h LDAP-server-name -o mech=gssapi -o authzid='' -f input-file

Example 2–3 Extending the Native LDAP Schema

The following LDIF example file, nldap_namemap_schema.ldif, describes the native LDAP schema changes:

dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( 1.3.6.1.4.1.42.2.27.5.1.62
   NAME 'winAccountName'
   DESC 'Windows user or group name corresponding to a Unix user or group'
   EQUALITY caseIgnoreMatch
   SUBSTRINGS caseIgnoreSubstringsMatch
   ORDERING caseIgnoreOrderingMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
add: objectClasses
objectClasses: ( 1.3.6.1.4.1.42.2.27.5.2.16
   NAME 'winAccount'
   DESC 'Auxiliary class to store Windows name mappings in Unix user/group objects'
   SUP top
   AUXILIARY
   MAY winAccountName )

Use the ldapmodify tool to load the schema changes into native LDAP:

$ ldapmodify -D cn=admin -w - -f f nldap_namemap_schema.ldif
Enter bind password:
modifying entry cn=schema

Example 2–4 Populating Native LDAP User and Group Objects

The following example has Solaris users tmw, crj, and dab stored in native LDAP. These Solaris users are associated with the Windows users terry, cal, and dana, respectively.

This example shows how to add the Windows user names to the appropriate user objects in native LDAP by using the ldapmodify command.

First, create an input file, updateUsers, that associates the Solaris names with the Windows names:

$ cat updateUsers
dn: uid=tmw,ou=passwd,dc=example,dc=com
changetype: modify
add: winAccountName
winAccountName: terry@example.com

dn: uid=crj,ou=passwd,dc=example,dc=com
changetype: modify
add: winAccountame
winAccountame: cal@example.com

dn: uid=dab,ou=passwd,dc=example,dc=com
changetype: modify
add: winAccountame
winAccountame: dana@example.com
$

Then, run the ldapmodify command to update the user objects on the native LDAP server, neptune:

$ ldapmodify -h neptune -o mech=gssapi -o authzid='' -f updateUsers