[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: NT Domain backend

To: openldap-devel@OpenLDAP.org
Subject: Re: NT Domain backend
From: Mark Valence <kurash@sassafras.com>
Date: Wed, 17 Nov 1999 12:41:31 -0500
Cc: "Kurt D. Zeilenga" <kurt@boolean.net>
In-reply-to: <3.0.5.32.19991117091035.00a27e40@localhost>
References: <3.0.5.32.19991117091035.00a27e40@localhost>


Discussion moved from -core to -devel:

At 11:53 AM 11/17/99 -0500, Mark Valence wrote:
>I've finished the first cut at an NT domain backend.  It is currently
>"read-only" although I will be adding editing capabilities later.  It
>does users and groups, works only when running slapd on WinNT, and
>only does binds when running as a service (this is a silly NT
>requirement).
>I am using oc's of person, organizationalPerson, and groupOfNames
>(yes, these should be configurable).  I also added new oc's to
>slapd.oc.conf, with corresponding new attributes, to support some
>information that is specific to NT users and groups.

A few more details: the domain backend can handle multiple domains, each of which is in it's own OU. Also, users and groups can be put into separate OUs. So you can get dns that look like:

    cn=John Doe, ou=People, ou=MyDomain, o=MyCo, c=US

That's all configurable, but you get the idea.

If at all possible, use standard-track schema.
If reasonable, I would like to see back-passwd and back-ntd
share the same base schema.

I've used attributes already defined in person, organizationalPerson, and groupOfNames. The new oc's are just for NT-specific stuff. I also loked at things like umichPerson, residentialPerson, etc. to see if I could use attributes from those oc's instead of adding new ones.

I agree that back-domain and back-passwd should share where possible, especially if we cannot get a list of the oc's/attributes that MS uses.

>My question is:  Should I just use these new oc's and attributes or
>should they be added to the formal list?  What OIDs should I use?

We should distribute defs for any schema items we depend upon.
However, I'd prefer we avoid depending upon non-standard track
schema.  If some cases, it may be necessary to rely on published
as "informational".  In all cases, any schema we publish should
be well documented and stable.

I've attached the basic objectclass defs at the bottom of this message. Please send any comments, especially if you know of an existing person or group attribute that could be used instead of the new attrs.

>I've tried to find a list of the oc's and attribute names that
>Microsoft uses in Active Directory, but haven't had any luck.  I do
>know that MS's objectclass for users is "User", but that I have not
>found a comprehensive list of the attributes of a User object.

AD scares me... I believe it documented less than OpenLDAP :-)
(at least we are documented by source).


Yet another place where NDS shines (relative to AD).

>Anyone have experience with AD?  Anyone interested in using the
>domain backend?  I'll be committing it RSN.

Mark.

=================================================================

objectclass ntDomainPerson
	requires
		objectClass,
		uid
	allows
		passwordAge,
		privilegeLevel,
		homeDirectory,
		ntUserFlags,
		scriptPath,
		ntAuthFlags,
		ntWorkstations,
		lastLogon,
		lastLogoff,
		expires,
		storageLimit,
		unitsperweek,
		logonHours,
		badPasswdCount,
		numLogons,
		logonServer,
		countryCode,
		codePage

objectclass ntDomainGroup
	requires
		objectClass
	allows
		ntGroupID,
		ntGroupFlags

Follow-Ups:
- Re: NT Domain backend
  - From: "Kurt D. Zeilenga" <kurt@boolean.net>
- Re: NT Domain backend
  - From: "Kurt D. Zeilenga" <kurt@boolean.net>
- Re: NT Domain backend
  - From: David J N Begley <david@avarice.nepean.uws.edu.au>

Prev by Date: FW: Building a DLL for MSVC5/6
Next by Date: Re: NT Domain backend
Index(es):
- Chronological
- Thread