mirror of
https://github.com/samba-team/samba.git
synced 2025-01-13 13:18:06 +03:00
49530d0db5
This patch removes 'non unix account range' (same as idra's change in HEAD),
and uses the winbind uid range instead.
More importanly, this patch changes the LDAP schema to use 'ntSid' instead
of 'rid' as the primary attribute. This makes it in common with the group
mapping code, and should allow it to be used closely with a future idmap_ldap.
Existing installations can use the existing functionality by using the
ldapsam_compat backend, and users who compile with --with-ldapsam will get
this by default.
More importantly, this patch adds a 'sambaDomain' object to our schema -
which contains 2 'next rid' attributes, the domain name and the domain sid.
Yes, there are *2* next rid attributes. The problem is that we don't 'own'
the entire RID space - we can only allocate RIDs that could be 'algorithmic'
RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be
mapped by IDMAP, not the algorithm.
Andrew Bartlett
(This used to be commit 3e07406ade)
207 lines
6.2 KiB
Plaintext
207 lines
6.2 KiB
Plaintext
##
|
|
## schema file for OpenLDAP 2.0.x
|
|
## Schema for storing Samba's smbpasswd file in LDAP
|
|
## OIDs are owned by the Samba Team
|
|
##
|
|
## Prerequisite schemas - uid (cosine.schema)
|
|
## - displayName (inetorgperson.schema)
|
|
##
|
|
## 1.3.6.1.4.1.7165.2.1.x - attributetypes
|
|
## 1.3.6.1.4.1.7165.2.2.x - objectclasses
|
|
##
|
|
|
|
##
|
|
## Password hashes
|
|
##
|
|
attributetype ( 1.3.6.1.4.1.7165.2.1.1 NAME 'lmPassword'
|
|
DESC 'LanManager Passwd'
|
|
EQUALITY caseIgnoreIA5Match
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
|
|
|
|
attributetype ( 1.3.6.1.4.1.7165.2.1.2 NAME 'ntPassword'
|
|
DESC 'NT Passwd'
|
|
EQUALITY caseIgnoreIA5Match
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
|
|
|
|
##
|
|
## Account flags in string format ([UWDX ])
|
|
##
|
|
attributetype ( 1.3.6.1.4.1.7165.2.1.4 NAME 'acctFlags'
|
|
DESC 'Account Flags'
|
|
EQUALITY caseIgnoreIA5Match
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE )
|
|
|
|
##
|
|
## Password timestamps & policies
|
|
##
|
|
attributetype ( 1.3.6.1.4.1.7165.2.1.3 NAME 'pwdLastSet'
|
|
DESC 'NT pwdLastSet'
|
|
EQUALITY integerMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
|
|
|
|
attributetype ( 1.3.6.1.4.1.7165.2.1.5 NAME 'logonTime'
|
|
DESC 'NT logonTime'
|
|
EQUALITY integerMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
|
|
|
|
attributetype ( 1.3.6.1.4.1.7165.2.1.6 NAME 'logoffTime'
|
|
DESC 'NT logoffTime'
|
|
EQUALITY integerMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
|
|
|
|
attributetype ( 1.3.6.1.4.1.7165.2.1.7 NAME 'kickoffTime'
|
|
DESC 'NT kickoffTime'
|
|
EQUALITY integerMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
|
|
|
|
attributetype ( 1.3.6.1.4.1.7165.2.1.8 NAME 'pwdCanChange'
|
|
DESC 'NT pwdCanChange'
|
|
EQUALITY integerMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
|
|
|
|
attributetype ( 1.3.6.1.4.1.7165.2.1.9 NAME 'pwdMustChange'
|
|
DESC 'NT pwdMustChange'
|
|
EQUALITY integerMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
|
|
|
|
##
|
|
## string settings
|
|
##
|
|
attributetype ( 1.3.6.1.4.1.7165.2.1.10 NAME 'homeDrive'
|
|
DESC 'NT homeDrive'
|
|
EQUALITY caseIgnoreIA5Match
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )
|
|
|
|
attributetype ( 1.3.6.1.4.1.7165.2.1.11 NAME 'scriptPath'
|
|
DESC 'NT scriptPath'
|
|
EQUALITY caseIgnoreIA5Match
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE )
|
|
|
|
attributetype ( 1.3.6.1.4.1.7165.2.1.12 NAME 'profilePath'
|
|
DESC 'NT profilePath'
|
|
EQUALITY caseIgnoreIA5Match
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE )
|
|
|
|
attributetype ( 1.3.6.1.4.1.7165.2.1.13 NAME 'userWorkstations'
|
|
DESC 'userWorkstations'
|
|
EQUALITY caseIgnoreIA5Match
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE )
|
|
|
|
attributetype ( 1.3.6.1.4.1.7165.2.1.17 NAME 'smbHome'
|
|
DESC 'smbHome'
|
|
EQUALITY caseIgnoreIA5Match
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
|
|
|
|
attributetype ( 1.3.6.1.4.1.7165.2.1.18 NAME 'domain'
|
|
DESC 'Windows NT domain to which the user belongs'
|
|
EQUALITY caseIgnoreIA5Match
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
|
|
|
|
##
|
|
## user and group RID
|
|
##
|
|
attributetype ( 1.3.6.1.4.1.7165.2.1.14 NAME 'rid'
|
|
DESC 'NT rid'
|
|
EQUALITY integerMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
|
|
|
|
attributetype ( 1.3.6.1.4.1.7165.2.1.15 NAME 'primaryGroupID'
|
|
DESC 'NT Group RID'
|
|
EQUALITY integerMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
|
|
|
|
##
|
|
## SID, of any type
|
|
##
|
|
|
|
attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'ntSid'
|
|
DESC 'Security ID'
|
|
EQUALITY caseIgnoreIA5Match
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
|
|
|
|
##
|
|
## group mapping attributes
|
|
##
|
|
attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'ntGroupType'
|
|
DESC 'NT Group Type'
|
|
EQUALITY integerMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
|
|
|
|
##
|
|
## Store info on the domain
|
|
##
|
|
|
|
attributetype ( 1.3.6.1.4.1.7165.2.1.21 NAME 'nextUserRid'
|
|
DESC 'Next NT rid to give our for users'
|
|
EQUALITY integerMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
|
|
|
|
attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'nextGroupRid'
|
|
DESC 'Next NT rid to give out for groups'
|
|
EQUALITY integerMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
|
|
|
|
##
|
|
## The smbPasswordEntry objectclass has been depreciated in favor of the
|
|
## sambaAccount objectclass
|
|
##
|
|
#objectclass ( 1.3.6.1.4.1.7165.2.2.1 NAME 'smbPasswordEntry' SUP top AUXILIARY
|
|
# DESC 'Samba smbpasswd entry'
|
|
# MUST ( uid $ uidNumber )
|
|
# MAY ( lmPassword $ ntPassword $ pwdLastSet $ acctFlags ))
|
|
|
|
#objectclass ( 1.3.6.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL
|
|
# DESC 'Samba Account'
|
|
# MUST ( uid $ rid )
|
|
# MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
|
|
# logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $
|
|
# displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
|
|
# description $ userWorkstations $ primaryGroupID $ domain ))
|
|
|
|
## The X.500 data model (and therefore LDAPv3) says that each entry can
|
|
## only have one structural objectclass. OpenLDAP 2.0 does not enforce
|
|
## this currently but will in v2.1
|
|
|
|
objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY
|
|
DESC 'Samba Auxilary Account'
|
|
MUST ( uid $ ntSid )
|
|
MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
|
|
logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $
|
|
displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
|
|
description $ userWorkstations $ primaryGroupID $ domain ))
|
|
|
|
############################################################################
|
|
##
|
|
## Please note that this schema is really experimental and might
|
|
## change before the 3.0 release.
|
|
##
|
|
############################################################################
|
|
|
|
##
|
|
## Whole-of-domain info
|
|
##
|
|
|
|
objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL
|
|
DESC 'Samba Domain Information'
|
|
MUST ( domain $ nextGroupRid $ nextUserRid $ ntSid))
|
|
|
|
##
|
|
## Group mapping info
|
|
##
|
|
objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY
|
|
DESC 'Samba Group Mapping'
|
|
MUST ( gidNumber $ ntSid $ ntGroupType )
|
|
MAY ( displayName $ description ))
|
|
|
|
##
|
|
## Used for Winbind experimentation
|
|
##
|
|
#objectclass ( 1.3.6.1.4.1.7165.1.2.2.3 NAME 'uidPool' SUP top AUXILIARY
|
|
# DESC 'Pool for allocating UNIX uids'
|
|
# MUST ( uidNumber ) )
|
|
|
|
#objectclass ( 1.3.6.1.4.1.7165.1.2.2.4 NAME 'gidPool' SUP top AUXILIARY
|
|
# DESC 'Pool for allocating UNIX gids'
|
|
# MUST ( gidNumber ) )
|
|
|