On Tue, 2012-03-13 at 16:21 +0100, Jan Zelený wrote: > > Fixes https://fedorahosted.org/sssd/ticket/1031 > > > > This patch creates a set of schema defaults that corresponds to Active > > Directory 2008r2. It can be set up simply by specifying > > ldap_schema = AD > > > > Operationally, it behaves like any other RFC2307bis server at this time. > > This patch does not remove the requirement for SFU/SUA support in Active > > Directory. More enhancements will follow to add support for AD-specific > > features. > > I have couple questions/notes based on observation of values on my testing AD > instance: > > Attribute gecos is apparently not filled by default, wouldn't it be better to > use cn?
This is actually the same behavior as on other LDAP servers. The expectation is that the GECOS field should be used if it's not empty, otherwise it should default to the user's full name. In the SSSD, we first check for the 'gecos' attribute and then go to ldap_user_fullname (which in the case of RFC 2307 would be "cn", but in AD is "name"). > I didn't find attribute authorizedService in the AD attribute specification, > is > it correct? Hmm, I was actually inconsistent here. I was leaving this in for the rare case where an AD admin decided to extend schema to support this. However, I made the opposite decision about ldap_user_authorized_host. Probably it's acceptable to set this to NULL and rely on the admin to change it if they end up extending the schema. Fixed in attached patch.
From e58b8d2d8533f6709510e286c932d8ec629355c2 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher <[email protected]> Date: Tue, 13 Mar 2012 10:07:25 -0400 Subject: [PATCH] LDAP: Add AD 2008r2 schema https://fedorahosted.org/sssd/ticket/1031 --- src/man/sssd-ldap.5.xml | 5 +++- src/providers/ldap/ldap_common.c | 51 ++++++++++++++++++++++++++++++++++++- 2 files changed, 53 insertions(+), 3 deletions(-) diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index 4fd4841e970c7449db421300d3814c8e532ab655..46ee8372b451593cd3046f7232c0523d25bb8771 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -164,10 +164,11 @@ attribute names retrieved from the servers may vary. The way that some attributes are handled may also differ. - Three schema types are currently supported: + Four schema types are currently supported: rfc2307 rfc2307bis IPA + AD The main difference between these schema types is how group memberships are recorded in the server. @@ -175,6 +176,8 @@ <emphasis>memberUid</emphasis> attribute. With rfc2307bis and IPA, group members are listed by DN and stored in the <emphasis>member</emphasis> attribute. + The AD schema type sets the attributes to correspond with + Active Directory 2008r2 values. </para> <para> Default: rfc2307 diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c index 69d1bc2bc7bf6888118d875e499ebc3d5d579c57..22d375539b030aa87e886d5af3146e6d7d694511 100644 --- a/src/providers/ldap/ldap_common.c +++ b/src/providers/ldap/ldap_common.c @@ -215,6 +215,53 @@ struct sdap_attr_map rfc2307bis_group_map[] = { { "ldap_group_entry_usn", NULL, SYSDB_USN, NULL } }; +struct sdap_attr_map ad2008r2_user_map[] = { + { "ldap_user_object_class", "user", SYSDB_USER_CLASS, NULL }, + { "ldap_user_name", "sAMAccountName", SYSDB_NAME, NULL }, + { "ldap_user_pwd", "unixUserPassword", SYSDB_PWD, NULL }, + { "ldap_user_uid_number", "uidNumber", SYSDB_UIDNUM, NULL }, + { "ldap_user_gid_number", "gidNumber", SYSDB_GIDNUM, NULL }, + { "ldap_user_gecos", "gecos", SYSDB_GECOS, NULL }, + { "ldap_user_home_directory", "unixHomeDirectory", SYSDB_HOMEDIR, NULL }, + { "ldap_user_shell", "loginShell", SYSDB_SHELL, NULL }, + { "ldap_user_principal", "userPrincipalName", SYSDB_UPN, NULL }, + { "ldap_user_fullname", "name", SYSDB_FULLNAME, NULL }, + { "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL }, + { "ldap_user_uuid", "objectGUID", SYSDB_UUID, NULL }, + { "ldap_user_modify_timestamp", "whenChanged", SYSDB_ORIG_MODSTAMP, NULL }, + { "ldap_user_entry_usn", SDAP_AD_USN, SYSDB_USN, NULL }, + { "ldap_user_shadow_last_change", NULL, SYSDB_SHADOWPW_LASTCHANGE, NULL }, + { "ldap_user_shadow_min", NULL, SYSDB_SHADOWPW_MIN, NULL }, + { "ldap_user_shadow_max", NULL, SYSDB_SHADOWPW_MAX, NULL }, + { "ldap_user_shadow_warning", NULL, SYSDB_SHADOWPW_WARNING, NULL }, + { "ldap_user_shadow_inactive", NULL, SYSDB_SHADOWPW_INACTIVE, NULL }, + { "ldap_user_shadow_expire", NULL, SYSDB_SHADOWPW_EXPIRE, NULL }, + { "ldap_user_shadow_flag", NULL, SYSDB_SHADOWPW_FLAG, NULL }, + { "ldap_user_krb_last_pwd_change", NULL, SYSDB_KRBPW_LASTCHANGE, NULL }, + { "ldap_user_krb_password_expiration", NULL, SYSDB_KRBPW_EXPIRATION, NULL }, + { "ldap_pwd_attribute", NULL, SYSDB_PWD_ATTRIBUTE, NULL }, + { "ldap_user_authorized_service", NULL, SYSDB_AUTHORIZED_SERVICE, NULL }, + { "ldap_user_ad_account_expires", "accountExpires", SYSDB_AD_ACCOUNT_EXPIRES, NULL}, + { "ldap_user_ad_user_account_control", "userAccountControl", SYSDB_AD_USER_ACCOUNT_CONTROL, NULL}, + { "ldap_ns_account_lock", NULL, SYSDB_NS_ACCOUNT_LOCK, NULL}, + { "ldap_user_authorized_host", NULL, SYSDB_AUTHORIZED_HOST, NULL }, + { "ldap_user_nds_login_disabled", NULL, SYSDB_NDS_LOGIN_DISABLED, NULL }, + { "ldap_user_nds_login_expiration_time", NULL, SYSDB_NDS_LOGIN_EXPIRATION_TIME, NULL }, + { "ldap_user_nds_login_allowed_time_map", NULL, SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP, NULL }, + { "ldap_user_ssh_public_key", NULL, SYSDB_SSH_PUBKEY, NULL } +}; + +struct sdap_attr_map ad2008r2_group_map[] = { + { "ldap_group_object_class", "group", SYSDB_GROUP_CLASS, NULL }, + { "ldap_group_name", "name", SYSDB_NAME, NULL }, + { "ldap_group_pwd", NULL, SYSDB_PWD, NULL }, + { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL }, + { "ldap_group_member", "member", SYSDB_MEMBER, NULL }, + { "ldap_group_uuid", "objectGUID", SYSDB_UUID, NULL }, + { "ldap_group_modify_timestamp", "whenChanged", SYSDB_ORIG_MODSTAMP, NULL }, + { "ldap_group_entry_usn", SDAP_AD_USN, SYSDB_USN, NULL } +}; + struct sdap_attr_map netgroup_map[] = { { "ldap_netgroup_object_class", "nisNetgroup", SYSDB_NETGROUP_CLASS, NULL }, { "ldap_netgroup_name", "cn", SYSDB_NAME, NULL }, @@ -466,8 +513,8 @@ int ldap_get_options(TALLOC_CTX *memctx, if (strcasecmp(schema, "AD") == 0) { opts->schema_type = SDAP_SCHEMA_AD; default_attr_map = gen_ad_attr_map; - default_user_map = rfc2307bis_user_map; - default_group_map = rfc2307bis_group_map; + default_user_map = ad2008r2_user_map; + default_group_map = ad2008r2_group_map; default_netgroup_map = netgroup_map; default_service_map = service_map; } else { -- 1.7.7.6
signature.asc
Description: This is a digitally signed message part
_______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel
