How to Extend the Active Directory Schema, and User and Group Entries (Solaris CIFS Administration Guide)

Solaris CIFS Administration Guide

How to Extend the Active Directory Schema, and User and Group Entries

This procedure shows how to extend the AD schema and populate the user and group objects with the associated Solaris names.

Note –

Perform this task before enabling directory-based mapping on your Solaris system.

(Optional) Extend the AD schema to add the new UNIX user and group attributes.

Note –
If you do not want to extend the AD schema, you can use an existing AD schema attribute to store UNIX user and group name information. For instance, if you already have schema that is comparable to what is described in Example 2–1, you can use your attributes instead of creating new ones.
1. Create an LDAP Data Interchange Format (LDIF) file to describe the AD schema changes.
  
  For sample LDIF file contents, see Example 2–1. Also see Extending Your Active Directory Schema in Windows Server 2003 R2 and Step-by-Step Guide to Using Active Directory Schema and Display Specifiers on the Microsoft technet web site.
2. Use the ldifde tool to load the schema changes into AD from the Windows server.
  C:\> ldifde -v -i -f input-file

Use the ldapmodify command to populate the AD user and group objects with the new attributes and their values.

You can use the idmap set-namemap command to populate user and group objects. See How to Add a Directory-Based Name Mapping to a User Object and How to Add a Directory-Based Name Mapping to a Group Object.

You can also use any of the Windows AD utilities to populate these objects.
1. Create an LDIF file to record the updates to the AD user and group objects.
  
  See a sample LDIF file in Example 2–2. For more information about the LDIF file format, see RFC 2849.
2. Use the kinit command to obtain a Kerberos ticket-granting ticket (TGT) for a privileged AD principal.
  
  This principal will be used by the ldapmodify command to update the AD objects described in the file you created in the previous substep.
  
  For example:
  $ kinit Administrator Password for Administrator@EXAMPLE.COM:
3. Use the ldapmodify command to update the user objects on the AD server.
  $ ldapmodify -h AD-server-name -o mech=gssapi -o authzid='' -f input-file

Example 2–1 Extending the AD Schema

The following LDIF example file, ad_namemap_schema.ldif, describes the AD schema changes:

dn: CN=unixUserName, CN=Schema, CN=Configuration, DC=example, DC=com
changetype: add
attributeID: 1.3.6.1.4.1.42.2.27.5.1.60
attributeSyntax: 2.5.5.3
isSingleValued: TRUE
searchFlags: 1
lDAPDisplayName: unixUserName
adminDescription: This attribute contains the object's UNIX username
objectClass: attributeSchema
oMSyntax: 27

dn: CN=unixGroupName, CN=Schema, CN=Configuration, DC=example, DC=com
changetype: add
attributeID: 1.3.6.1.4.1.42.2.27.5.1.61
attributeSyntax: 2.5.5.3
isSingleValued: TRUE
searchFlags: 1
lDAPDisplayName: unixGroupName
adminDescription: This attribute contains the object's UNIX groupname
objectClass: attributeSchema
oMSyntax: 27

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: CN=unixNameInfo, CN=Schema, CN=Configuration, DC=example, DC=com
changetype: add
governsID: 1.3.6.1.4.1.42.2.27.5.2.15
lDAPDisplayName: unixNameInfo
adminDescription: Auxiliary class to store UNIX name info in AD
mayContain: unixUserName
mayContain: unixGroupName
objectClass: classSchema
objectClassCategory: 3
subClassOf: top

Use the ldifde tool to load the schema changes into AD from the Windows server:

C:\> ldifde -v -i -f ad_namemap_schema.ldif

Example 2–2 Populating AD User and Group Objects

The following example has Windows users terry, cal, and dana stored in Active Directory. These Windows users are associated with the Solaris users tmw, crj, and dab, respectively.

This example shows how to add the Solaris user names to the appropriate user objects in AD by using the ldapmodify command.

First, create an input file, updateUsers, that associates the Windows names with the Solaris names:

$ cat updateUsers
dn: CN=Terry Walters,CN=Users,DC=example,DC=com
changetype: modify
add: unixUserName
unixUserName: tmw

dn: CN=Cal Jamieson,CN=Users,DC=example,DC=com
changetype: modify
add: unixUserName
unixUserName: crj

dn: CN=Dana Bloom,CN=Users,DC=example,DC=com
changetype: modify
add: unixUserName
unixUserName: dab
$

Next, use the kinit command to obtain a TGT for a privileged principal:

$ kinit Administrator
Password for Administrator@EXAMPLE.COM:

Finally, run the ldapmodify command to update the user objects on the AD server, saturn:

$ ldapmodify -h saturn -o mech=gssapi -o authzid='' -f updateUsers