1. Managing SMB File Sharing and Windows Interoperability in Oracle Solaris 11.4
  2. Setting Up Identity Mapping Between Windows and Oracle Solaris Systems
  3. Managing Directory-Based Name Mapping for Users and Groups
  4. How to Extend the Active Directory Schema, and User and Group Entries

How to Extend the Active Directory Schema, and User and Group Entries

This procedure describes how to extend the AD schema and populate the user and group objects with the associated Oracle Solaris names.

Note:

Perform this task before enabling directory-based mapping on your Oracle Solaris system.
  1. (Optional) Extend the AD schema to add the new UNIX user and group attributes.

    Note:

    If you do not want to extend the AD schema, you can use an existing AD schema attribute to store UNIX user and group name information. For instance, if you already have a schema like the one in Example 2-1, you can use your attributes instead of creating new ones.
    1. Create an LDAP Data Interchange Format (LDIF) file to describe the AD schema changes.

      For sample LDIF file contents, see Example 2-1. Also see "Extending Your Active Directory Schema in Windows Server 2003 R2" and "Step-by-Step Guide to Using Active Directory Schema and Display Specifiers" on the Microsoft TechNet web site.

    2. Load the schema changes into AD from the Windows server.
      C:\> ldifde -v -i -f input-file
  2. Populate the AD user and group objects with the new attributes and their values.

    You can also use the idmap set-namemap command to populate user and group objects. See How to Add a Directory-Based Name Mapping to a User or Group Object.

    You can also use any of the Windows AD utilities to populate these objects.

    1. Create an LDIF file to record the updates to the AD user and group objects.

      See the sample LDIF file in Example 2-2. For more information about the LDIF file format, see RFC 2849.

    2. Obtain a Kerberos ticket-granting ticket (TGT) for a privileged AD principal.

      The ldapmodify command uses this principal to update the AD objects described in the file you created.

      For example:

      $ kinit Administrator
Password for Administrator@EXAMPLE.COM:
    3. Update the user objects on the AD server.
      $ ldapmodify -h AD-server-name -o mech=gssapi -o authzid='' -f input-file

Example 2-1 Extending the AD Schema

This example shows a sample LDIF file, ad_namemap_schema.ldif, that describes the AD schema changes. 

dn: CN=unixUserName, CN=Schema, CN=Configuration, DC=example, DC=com
changetype: add
attributeID: 1.3.6.1.4.1.42.2.27.5.1.60
attributeSyntax: 2.5.5.3
isSingleValued: TRUE
searchFlags: 1
lDAPDisplayName: unixUserName
adminDescription: This attribute contains the object's UNIX username
objectClass: attributeSchema
oMSyntax: 27

dn: CN=unixGroupName, CN=Schema, CN=Configuration, DC=example, DC=com
changetype: add
attributeID: 1.3.6.1.4.1.42.2.27.5.1.61
attributeSyntax: 2.5.5.3
isSingleValued: TRUE
searchFlags: 1
lDAPDisplayName: unixGroupName
adminDescription: This attribute contains the object's UNIX groupname
objectClass: attributeSchema
oMSyntax: 27

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: CN=unixNameInfo, CN=Schema, CN=Configuration, DC=example, DC=com
changetype: add
governsID: 1.3.6.1.4.1.42.2.27.5.2.15
lDAPDisplayName: unixNameInfo
adminDescription: Auxiliary class to store UNIX name info in AD
mayContain: unixUserName
mayContain: unixGroupName
objectClass: classSchema
objectClassCategory: 3
subClassOf: top

Load the schema changes into AD from the Windows server:

C:\> ldifde -v -i -f ad_namemap_schema.ldif

Example 2-2 Populating AD User and Group Objects

This example shows how to add Oracle Solaris user names to the appropriate user objects in AD by using the ldapmodify command. Windows users user1, user2, and user3 are stored in Active Directory. These Windows users are associated with the Oracle Solaris users uone, utwo, and uthree, respectively.

First, create an input file, updateUsers, that associates the Windows names with the Oracle Solaris names: 

$ cat updateUsers
dn: CN=User One,CN=Users,DC=example,DC=com
changetype: modify
add: unixUserName
unixUserName: uone

dn: CN=User Two,CN=Users,DC=example,DC=com
changetype: modify
add: unixUserName
unixUserName: utwo

dn: CN=User Three,CN=Users,DC=example,DC=com
changetype: modify
add: unixUserName
unixUserName: uthree

Next, use the kinit command to obtain a TGT for a privileged principal: 

$ kinit Administrator
Password for Administrator@EXAMPLE.COM:

Finally, run the ldapmodify command to update the user objects on the AD server, saturn: 

$ ldapmodify -h saturn -o mech=gssapi -o authzid='' -f updateUsers