Hi Juergen,
could you please post your LDAP Configuration for Turbine?
I used the original Turbine schema from turbine.schema and have made
some little chaneges to use it in an MS Windows 2008 R2 AD server.
I have made the following substitutions or assumptions:
a) Microsoft uses with the X500 OID his own id format which is NOT
comparable with the openldap id's. OIDs are assigned by the ISO
standard. Therefore every OID must start with "0", "1" or "2" for
instance. In case of the TURBINE openldap ids we expand these ids with
the prefixes "1.4" for attributes and "1.5" for classes.
b) To create the attributes and object classes we used Microsoft's
"Active Directory Schema snap-in"
(http://technet.microsoft.com/en-us/library/cc755885%28WS.10%29.aspx)
According to Microsoft's "Active Directory Schema snap-in" drop-down
menu "Syntax" we mapped the syntax notations as follows:
* 1.3.6.1.4.1.1466.115.121.1.40 to "octet string"
* 1.3.6.1.4.1.1466.115.121.1.15 to "case insensitive string"
* 1.3.6.1.4.1.1466.115.121.1.53 to "UTC coded time"
* 1.3.6.1.4.1.1466.115.121.1.26 to "IA5 String"
c) All TURBINE openldap attributes with a missing entry "SINGLE-VALUE"
are assigned as "Multi-Valued" in Microsoft's AD server.
You will find all config informations at the end of this mail. Please
let me know if you need more specific informations.
Kind regards
Thomas
--------------------------------------
And here is our "AD compliant" Turbine schema. The attributes and
objects are created in the LDAP schema section
(DN: CN=Schema,CN=Configuration,DC=example,DC=com)
attributetype ( 1.4.15530.1.2
NAME 'turbineObjectData'
DESC 'Turbine object data'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
attributetype ( 1.4.15530.1.3
NAME 'turbinePermissionName'
DESC 'Turbine permission name'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
attributetype ( 1.4.15530.1.5
NAME 'turbineUserCreationDate'
DESC 'Turbine user creation timestamp'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.53
SINGLE-VALUE)
attributetype ( 1.4.15530.1.6
NAME 'turbineUserFirstName'
DESC 'Turbine user first name'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
attributetype ( 1.4.15530.1.7
NAME 'turbineUserLastLogon'
DESC 'Turbine user last login timestamp'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.53
SINGLE-VALUE)
attributetype ( 1.4.15530.1.8
NAME 'turbineUserLastModifiedTime'
DESC 'Turbine user modification timestamp'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.53
SINGLE-VALUE)
attributetype ( 1.4.15530.1.9
NAME 'turbineUserLastName'
DESC 'Turbine user last name'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
attributetype ( 1.4.15530.1.10
NAME 'turbineUserMailAddress'
DESC 'Turbine user mail address'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
attributetype ( 1.4.15530.1.11
NAME 'turbineUserPassword'
DESC 'Turbine user pwd'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE)
attributetype ( 1.4.15530.1.12
NAME 'turbineUserUniqueId'
DESC 'Turbine unique user id'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE)
attributetype ( 1.4.15530.1.13
NAME 'turbineGroupName'
DESC 'Turbine group name'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
attributetype ( 1.4.15530.1.14
NAME 'turbineRoleName'
DESC 'Turbine role name'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
objectclass ( 1.5.15530.2.1
NAME 'turbineUser'
DESC 'Turbine user'
SUP top
AUXILIARY
MUST ( turbineUserUniqueId )
MAY ( turbineObjectData $ turbineUserCreationDate $
turbineUserFirstName $
turbineUserLastLogon $ turbineUserLastModifiedTime $
turbineUserLastName $
turbineUserMailAddress $ userPassword ))
objectclass ( 1.5.15530.2.2
NAME 'turbineUserGroup'
DESC 'Turbine User Group '
SUP top
AUXILIARY
MUST ( turbineUserUniqueId $ turbineGroupName )
MAY ( turbineRoleName $ turbineObjectData ))
objectclass ( 1.5.15530.2.3
NAME 'turbineGroup'
DESC 'Turbine Group'
SUP top
AUXILIARY
MUST ( turbineGroupName )
MAY ( turbineObjectData ))
objectclass ( 1.5.15530.2.4
NAME 'turbineRole'
DESC 'Turbine role'
SUP top
AUXILIARY
MUST ( turbineRoleName )
MAY ( turbineObjectData $ turbinePermissionName ))
objectclass ( 1.5.15530.2.5
NAME 'turbinePermission'
DESC 'Turbine Permission'
SUP top
AUXILIARY
MUST ( turbinePermissionName )
MAY ( turbineObjectData ))
*******************************************************************
The LDAP tree is as following (some project specific names are replaced
by placeholders):
DC=example,DC=com
|
|-OU=myproject
| |
| `OU=Turbine
| |
| |-CN=TurbinePermissionDelete
| |- ...
| |-CN=TurbineRoleEditor
| |- ...
| |-CN=TurbineGroupClobal
| |- ...
| |-CN=TUG_Maria_Hernandez
| |- ...
| |-CN=Maria Hernandez
| ` ...
|
|-CN=Users
| |
. .
*******************************************************************
Examples for every type of a Turbine object:
dn: CN=TurbinePermissionDelete,OU=Turbine,OU=myproject,DC=example,DC=com
objectClass: top
objectClass: turbinePermission
objectClass: group
groupType: -2147483646
instanceType: 4
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=example,DC=com
turbinePermissionName: MayDelete
cn: TurbinePermissionDelete
distinguishedName:
CN=TurbinePermissionDelete,OU=Turbine,OU=myproject,DC=example,DC=com
dSCorePropagationData: 16010101000000.0Z
name: TurbinePermissionDelete
objectGUID:: sZviLj5Vu0SrO+v1UfVumw==
objectSid:: AQUAAAAAAAUVAAAAn7xFeqHuYWk/K/AGkQQAAA==
sAMAccountName: TurbinePermissionDelete
sAMAccountType: 268435456
uSNChanged: 353800
uSNCreated: 353654
whenChanged: 20100421075518.0Z
whenCreated: 20100421064025.0Z
-----------------
dn: CN=TurbineRoleEditor,OU=Turbine,OU=myproject,DC=example,DC=com
objectClass: top
objectClass: turbineRole
objectClass: group
groupType: -2147483646
instanceType: 4
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=example,DC=com
turbineRoleName: editor
cn: TurbineRoleEditor
distinguishedName:
CN=TurbineRoleEditor,OU=Turbine,OU=myproject,DC=example,DC=co
m
dSCorePropagationData: 16010101000000.0Z
name: TurbineRoleEditor
objectGUID:: GoDLMaCAnUW/sIi2Xfkz6Q==
objectSid:: AQUAAAAAAAUVAAAAn7xFeqHuYWk/K/AGnwQAAA==
sAMAccountName: TurbineRoleEditor
sAMAccountType: 268435456
turbinePermissionName: DMFUser
turbinePermissionName: SeeInvisible
turbinePermissionName: SeeContacts
turbinePermissionName: MayPublishUserTags
turbinePermissionName: MayModify
turbinePermissionName: HasModifyButton
turbinePermissionName: MayExport
turbinePermissionName: PerformAction
turbinePermissionName: SeeScreen
turbinePermissionName: MayLogin
uSNChanged: 369135
uSNCreated: 354082
whenChanged: 20100423125045.0Z
whenCreated: 20100421110400.0Z
-----------------
dn: CN=TurbineGroupGlobal,OU=Turbine,OU=myproject,DC=example,DC=com
objectClass: top
objectClass: turbineGroup
objectClass: group
groupType: -2147483646
instanceType: 4
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=example,DC=com
turbineGroupName: global
cn: TurbineGroupGlobal
distinguishedName:
CN=TurbineGroupGlobal,OU=Turbine,OU=myproject,DC=example,DC=com
dSCorePropagationData: 16010101000000.0Z
name: TurbineGroupGlobal
objectGUID:: wIJvHdsVn0mO1tWx7KjMKQ==
objectSid:: AQUAAAAAAAUVAAAAn7xFeqHuYWk/K/AGjAQAAA==
sAMAccountName: TurbineGroupGlobal
sAMAccountType: 268435456
uSNChanged: 369243
uSNCreated: 352137
whenChanged: 20100423132300.0Z
whenCreated: 20100420121820.0Z
-----------------
dn: CN=TUG_Maria_Hernandez,OU=Turbine,OU=myproject,DC=example,DC=com
objectClass: top
objectClass: turbineUserGroup
objectClass: group
groupType: -2147483646
instanceType: 4
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=example,DC=com
turbineGroupName: global
turbineUserUniqueId: mhernandez
cn: TUG_Maria_Hernandez
distinguishedName:
CN=TUG_Maria_Hernandez,OU=Turbine,OU=myproject,DC=example,DC=
com
dSCorePropagationData: 16010101000000.0Z
name: TUG_Maria_Hernandez
objectGUID:: pLpvTDaSmk2Ltu4F12sNgw==
objectSid:: AQUAAAAAAAUVAAAAn7xFeqHuYWk/K/AGpQQAAA==
sAMAccountName: TUG_Maria_Hernandez
sAMAccountType: 268435456
turbineRoleName: editor
uSNChanged: 375291
uSNCreated: 375287
whenChanged: 20100426131621.0Z
whenCreated: 20100426131410.0Z
-----------------
dn: CN=Maria Hernandez,OU=Turbine,OU=myproject,DC=example,DC=com
objectClass: top
objectClass: turbineUser
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Maria Hernandez
instanceType: 4
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
turbineUserUniqueId: mhernandez
accountExpires: 9223372036854775807
badPasswordTime: 0
badPwdCount: 0
codePage: 0
countryCode: 0
displayName: Maria Hernandez
distinguishedName: CN=Maria
Hernandez,OU=Turbine,OU=myproject,DC=example,DC=com
dSCorePropagationData: 16010101000000.0Z
givenName: Maria
lastLogoff: 0
lastLogon: 0
lastLogonTimestamp: 129165058316974001
logonCount: 0
mail: [email protected]
name: Maria Hernandez
objectGUID:: XFbA3PRlKkmUZ4MAzBvcMQ==
objectSid:: AQUAAAAAAAUVAAAAn7xFeqHuYWk/K/AGogQAAA==
primaryGroupID: 513
pwdLastSet: 129164953562684115
sAMAccountName: mhernandez
sAMAccountType: 805306368
sn: Hernandez
userAccountControl: 66048
userPrincipalName: [email protected]
uSNChanged: 369288
uSNCreated: 368871
whenChanged: 20100423141711.0Z
whenCreated: 20100423112236.0Z
*******************************************************************
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
