[Date Prev][Date Next] [Chronological] [Thread] [Top]
RE: NT Domain backend

To: "'Mark Valence'" <kurash@sassafras.com>, openldap-devel@OpenLDAP.org
Subject: RE: NT Domain backend
From: Jeremy Jones <JJones@nwnets.com>
Date: Wed, 17 Nov 1999 11:16:08 -0700
Hello all,

This is EXTREMELY interesting to me, as I'd like very much to be able to
offer Linux to my clients as an integrated part of win2k domains.

As far as the Active Directory and it's schema, I believe you can get it by
doing an LDIF dump of an entire AD tree.  You'd need to set up a win2k DC
with AD installed, and run the LDIFDE utility from the command line (this
should be included when AD is installed... if not, it's most likely on the
win2k reskit).  Since AD stores all it's schema info in the directory
itself, this should give you a pretty good idea of the oc's and attributes
necessary for the NT backend project.

Incidentally, I am NOT a developer, so if my comments in this forum are off
the mark, please excuse me.  I am an MCSE with some experience with win2k
and Active Directory, and I am very interested, as I mentioned above, in
integrating open source solutions into NT/win2k domains.  I am eager to help
on the NT/win2k side of things, but I may not be much help on the unix
end...


Thanks,
Jeremy Jones, MCSE, CCNA
Systems Analyst
Northwest Network Services
(208) 343-5260 x106 
http://www.nwnets.com
mailto:jjones@nwnets.com




-----Original Message-----
From: Mark Valence [mailto:kurash@sassafras.com]
Sent: Wednesday, November 17, 1999 10:42 AM
To: openldap-devel@OpenLDAP.org
Cc: Kurt D. Zeilenga
Subject: Re: NT Domain backend



Discussion moved from -core to -devel:

>At 11:53 AM 11/17/99 -0500, Mark Valence wrote:
> >I've finished the first cut at an NT domain backend.  It is currently
> >"read-only" although I will be adding editing capabilities later.  It
> >does users and groups, works only when running slapd on WinNT, and
> >only does binds when running as a service (this is a silly NT
> >requirement).
> >I am using oc's of person, organizationalPerson, and groupOfNames
> >(yes, these should be configurable).  I also added new oc's to
> >slapd.oc.conf, with corresponding new attributes, to support some
> >information that is specific to NT users and groups.

A few more details:  the domain backend can handle multiple domains, 
each of which is in it's own OU.  Also, users and groups can be put 
into separate OUs.  So you can get dns that look like:

     cn=John Doe, ou=People, ou=MyDomain, o=MyCo, c=US

That's all configurable, but you get the idea.

>If at all possible, use standard-track schema.
>If reasonable, I would like to see back-passwd and back-ntd
>share the same base schema.

I've used attributes already defined in person, organizationalPerson, 
and groupOfNames.  The new oc's are just for NT-specific stuff.  I 
also loked at things like umichPerson, residentialPerson, etc. to see 
if I could use attributes from those oc's instead of adding new ones.

I agree that back-domain and back-passwd should share where possible, 
especially if we cannot get a list of the oc's/attributes that MS 
uses.

> >My question is:  Should I just use these new oc's and attributes or
> >should they be added to the formal list?  What OIDs should I use?
>
>We should distribute defs for any schema items we depend upon.
>However, I'd prefer we avoid depending upon non-standard track
>schema.  If some cases, it may be necessary to rely on published
>as "informational".  In all cases, any schema we publish should
>be well documented and stable.

I've attached the basic objectclass defs at the bottom of this 
message.  Please send any comments, especially if you know of an 
existing person or group attribute that could be used instead of the 
new attrs.

> >I've tried to find a list of the oc's and attribute names that
> >Microsoft uses in Active Directory, but haven't had any luck.  I do
> >know that MS's objectclass for users is "User", but that I have not
> >found a comprehensive list of the attributes of a User object.
>
>AD scares me... I believe it documented less than OpenLDAP :-)
>(at least we are documented by source).

Yet another place where NDS shines (relative to AD).

> >Anyone have experience with AD?  Anyone interested in using the
> >domain backend?  I'll be committing it RSN.


Mark.

=================================================================

objectclass ntDomainPerson
	requires
		objectClass,
		uid
	allows
		passwordAge,
		privilegeLevel,
		homeDirectory,
		ntUserFlags,
		scriptPath,
		ntAuthFlags,
		ntWorkstations,
		lastLogon,
		lastLogoff,
		expires,
		storageLimit,
		unitsperweek,
		logonHours,
		badPasswdCount,
		numLogons,
		logonServer,
		countryCode,
		codePage

objectclass ntDomainGroup
	requires
		objectClass
	allows
		ntGroupID,
		ntGroupFlags
Follow-Ups:
- RE: NT Domain backend
  - From: David J N Begley <david@avarice.nepean.uws.edu.au>
Prev by Date: Re: NT Domain backend
Next by Date: Re: NT Domain backend
Index(es):
- Chronological
- Thread