Go to main content

Managing SMB File Sharing and Windows Interoperability in Oracle® Solaris 11.3

Exit Print View

Updated: December 2017
 
 

How to Extend the Active Directory Schema, and User and Group Entries

This procedure describes how to extend the AD schema and populate the user and group objects with the associated Oracle Solaris names.


Note -  Perform this task before enabling directory-based mapping on your Oracle Solaris system.
  1. (Optional) Extend the AD schema to add the new UNIX user and group attributes.

    Note -  If you do not want to extend the AD schema, you can use an existing AD schema attribute to store UNIX user and group name information. For instance, if you already have a schema like the one in Example 2, Extending the AD Schema, you can use your attributes instead of creating new ones.
    1. Create an LDAP Data Interchange Format (LDIF) file to describe the AD schema changes.

      For sample LDIF file contents, see Example 2, Extending the AD Schema. Also see "Extending Your Active Directory Schema in Windows Server 2003 R2" and "Step-by-Step Guide to Using Active Directory Schema and Display Specifiers" on the Microsoft TechNet web site.

    2. Load the schema changes into AD from the Windows server.
      C:\> ldifde -v -i -f input-file
  2. Populate the AD user and group objects with the new attributes and their values.

    You can also use the idmap set-namemap command to populate user and group objects. See How to Add a Directory-Based Name Mapping to a User or Group Object.

    You can also use any of the Windows AD utilities to populate these objects.

    1. Create an LDIF file to record the updates to the AD user and group objects.

      See the sample LDIF file in Example 3, Populating AD User and Group Objects. For more information about the LDIF file format, see RFC 2849, The LDAP Data Interchange Format (LDIF).

    2. Obtain a Kerberos ticket-granting ticket (TGT) for a privileged AD principal.

      The ldapmodify command uses this principal to update the AD objects described in the file you created.

      For example:

      $ kinit Administrator
      Password for Administrator@EXAMPLE.COM: 
    3. Update the user objects on the AD server.
      $ ldapmodify -h AD-server-name -o mech=gssapi -o authzid='' -f input-file
Example 2  Extending the AD Schema

This example shows a sample LDIF file, ad_namemap_schema.ldif, that describes the AD schema changes.

dn: CN=unixUserName, CN=Schema, CN=Configuration, DC=example, DC=com
changetype: add
attributeID: 1.3.6.1.4.1.42.2.27.5.1.60
attributeSyntax: 2.5.5.3
isSingleValued: TRUE
searchFlags: 1
lDAPDisplayName: unixUserName
adminDescription: This attribute contains the object's UNIX username
objectClass: attributeSchema
oMSyntax: 27

dn: CN=unixGroupName, CN=Schema, CN=Configuration, DC=example, DC=com
changetype: add
attributeID: 1.3.6.1.4.1.42.2.27.5.1.61
attributeSyntax: 2.5.5.3
isSingleValued: TRUE
searchFlags: 1
lDAPDisplayName: unixGroupName
adminDescription: This attribute contains the object's UNIX groupname
objectClass: attributeSchema
oMSyntax: 27

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: CN=unixNameInfo, CN=Schema, CN=Configuration, DC=example, DC=com
changetype: add
governsID: 1.3.6.1.4.1.42.2.27.5.2.15
lDAPDisplayName: unixNameInfo
adminDescription: Auxiliary class to store UNIX name info in AD
mayContain: unixUserName
mayContain: unixGroupName
objectClass: classSchema
objectClassCategory: 3
subClassOf: top

Load the schema changes into AD from the Windows server:

C:\> ldifde -v -i -f ad_namemap_schema.ldif
Example 3  Populating AD User and Group Objects

This example shows how to add Oracle Solaris user names to the appropriate user objects in AD by using the ldapmodify command. Windows users john, george, and mary are stored in Active Directory. These Windows users are associated with the Oracle Solaris users tmw, crj, and dab, respectively.

First, create an input file, updateUsers, that associates the Windows names with the Oracle Solaris names:

$ cat updateUsers
dn: CN=John Smith,CN=Users,DC=example,DC=com
changetype: modify
add: unixUserName
unixUserName: tmw

dn: CN=George Abbot,CN=Users,DC=example,DC=com
changetype: modify
add: unixUserName
unixUserName: crj

dn: CN=Mary Jones,CN=Users,DC=example,DC=com
changetype: modify
add: unixUserName
unixUserName: dab
$

Next, use the kinit command to obtain a TGT for a privileged principal:

$ kinit Administrator
Password for Administrator@EXAMPLE.COM: 

Finally, run the ldapmodify command to update the user objects on the AD server, saturn:

$ ldapmodify -h saturn -o mech=gssapi -o authzid='' -f updateUsers