Merge Samba 3.0 pdb_ldap from 3.0 into HEAD, so as to allow idra to continue

his IDMAP work.

This version also works properly (the HEAD version had suffered from bitrot),
and should be a good basis to change into the new IDMAP rules.

It also includes UTF8 conversions.

Included also are the schema changes, and a note about the now very old scripts
in examples/LDAP (they don't work for this, or even the previous schema).

Andrew Bartlett
(This used to be commit 38a8f2b23a12f6a964d447f7904dd722a1ca046c)

examples/LDAP/README

@@ -5,10 +5,9 @@
 !==
 
 This is a quick and dirty means of storing smbpasswd entries
-in LDAP.  Samba 2.2.x does not have any ability to grab
-this information directly from LDAP so you will need to
-periodically generate an smbpasswd from an ldapsearch
-"(objectclass=smbPasswordEntry)".
+in LDAP.  Samba 2.2.x (x >=4) and 3.0 can both store this information
+directly in LDAP, and the schema has *changed*.  As such these scripts will
+need modification prior to use.
 
 Be aware of search limits on your client or server which prevent
 all entries from being returned in the search result.

examples/LDAP/samba.schema

@@ -110,6 +110,15 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.15 NAME 'primaryGroupID'
 	EQUALITY integerMatch
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
 
+##
+## SID, of any type
+##
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'ntSid'
+	DESC 'Security ID'
+	EQUALITY caseIgnoreIA5Match
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
+
 ##
 ## group mapping attributes
 ##
@@ -118,10 +127,19 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'ntGroupType'
 	EQUALITY integerMatch
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
 
-attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'ntSid'
-	DESC 'Security ID'
-	EQUALITY caseIgnoreIA5Match
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
+##
+## Store info on the domain
+##
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.21 NAME 'nextUserRid'
+	DESC 'Next NT rid to give our for users'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'nextGroupRid'
+	DESC 'Next NT rid to give out for groups'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
 
 ##
 ## The smbPasswordEntry objectclass has been depreciated in favor of the
@@ -146,7 +164,7 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'ntSid'
 
 objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY
 	DESC 'Samba Auxilary Account'
-	MUST ( uid $ rid ) 
+	MUST ( uid $ ntSid ) 
 	MAY  ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
                logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ 
                displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
@@ -159,6 +177,17 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY
 ##
 ############################################################################
 
+##
+## Whole-of-domain info
+##
+
+objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL
+	DESC 'Samba Domain Information'
+	MUST ( domain $ nextGroupRid $ nextUserRid $ ntSid)) 
+
+##
+## Group mapping info
+##
 objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY
 	DESC 'Samba Group Mapping'
 	MUST ( gidNumber $ ntSid $ ntGroupType )