diff options
Diffstat (limited to 'examples/LDAP')
-rw-r--r-- | examples/LDAP/README | 30 | ||||
-rwxr-xr-x | examples/LDAP/convertSambaAccount | 56 | ||||
-rw-r--r-- | examples/LDAP/export2_smbpasswd.pl | 64 | ||||
-rw-r--r-- | examples/LDAP/import2_smbpasswd.pl | 108 | ||||
-rw-r--r-- | examples/LDAP/samba.schema | 33 |
5 files changed, 71 insertions, 220 deletions
diff --git a/examples/LDAP/README b/examples/LDAP/README index 98d88c091b..c7ff16ad08 100644 --- a/examples/LDAP/README +++ b/examples/LDAP/README @@ -4,28 +4,11 @@ !== written by Gerald Carter <jerry@samba.org> !== -This is a quick and dirty means of storing smbpasswd entries -in LDAP. Samba 2.2.x (x >=4) and 3.0 can both store this information -directly in LDAP, and the schema has *changed*. As such these scripts will -need modification prior to use. - -Be aware of search limits on your client or server which prevent -all entries from being returned in the search result. +This is a quick and dirty means of converting smbpasswd entries +to sambaAccount entriues in an LDAP directory. Pre-requisites for import_smbpasswd.pl & export_smbpasswd.pl ------------------------------------------------------------- -You must install Mozilla PerLDAP which is available at: - - http://www.mozilla.org/directory - -PerLDAP depends on the Netscape (aka iPlanet) C-SDK which is -available for download at: - - http:// www.iplanet.com/downloads/developer/ - - -Pre-requisites for import2_smbpasswd.pl & export2_smbpasswd.pl -------------------------------------------------------------- These two scripts are modified versions of [import|export]_smbpasswd.pl rewritten to use the Net::LDAP @@ -35,6 +18,7 @@ perl module available from + OpenLDAP 2.0.x -------------- @@ -67,7 +51,7 @@ You must restart the LDAP server for these new included schema files to become active. -import[2]_smbpasswd.pl +import_smbpasswd.pl ---------------------- Make sure you customize the local site variable in the perl script @@ -79,17 +63,17 @@ refer to RFC2307 and http://www.padl.com/software.html). The following will import an smbpasswd file into an LDAP directory - $ cat smbpasswd | import[2]_smbpasswd.pl + $ cat smbpasswd | import_smbpasswd.pl -export[2]_smbpasswd.pl +export_smbpasswd.pl ---------------------- Make sure you customize the local site variable in the perl script (i.e. ldapserver, rootdn, rootpw, etc...). You can then generate an smbpasswd file by executing - $ export[2]_smbpasswd.pl > smbpasswd + $ export_smbpasswd.pl > smbpasswd NOTE: Server side (or client side) search limites may prevent all users from being listed. Check you directory server documentation diff --git a/examples/LDAP/convertSambaAccount b/examples/LDAP/convertSambaAccount index f5b49ff095..223c43eada 100755 --- a/examples/LDAP/convertSambaAccount +++ b/examples/LDAP/convertSambaAccount @@ -15,8 +15,8 @@ use Net::LDAP::LDIF; my ( $domain, $domsid ); my ( $ldif, $ldif2 ); my ( $entry, @objclasses, $obj ); -my ( $is_samba_account ); -my ( %attr_map, $key ); +my ( $is_samba_account, $is_samba_group ); +my ( %attr_map, %group_attr_map, $key ); if ( $#ARGV != 2 ) { print "Usage: convertSambaAccount domain_sid input_ldif output_ldif\n"; @@ -41,6 +41,11 @@ if ( $#ARGV != 2 ) { acctFlags => 'sambaAcctFlags', ); +%group_attr_map = ( + ntSid => 'sambaSID', + ntGroupType => 'sambaGroupType', +); + $domsid = $ARGV[0]; $ldif = Net::LDAP::LDIF->new ($ARGV[1], "r") @@ -65,37 +70,44 @@ while ( !$ldif->eof ) { ## @objclasses = $entry->get_value( "objectClass" ); undef ( $is_samba_account ); + undef ( $is_samba_group ); foreach $obj ( @objclasses ) { if ( "$obj" eq "sambaAccount" ) { $is_samba_account = 1; + } elsif ( "$obj" eq "sambaGroupMapping" ) { + $is_samba_group = 1; } } - if ( !defined ( $is_samba_account ) ) { - $ldif2->write_entry( $entry ); - next; - } - - ## - ## start editing the sambaAccount - ## + if ( defined ( $is_samba_account ) ) { + ## + ## start editing the sambaAccount + ## - $entry->delete( 'objectclass' => [ 'sambaAccount' ] ); - $entry->add( 'objectclass' => 'sambaSamAccount' ); + $entry->delete( 'objectclass' => [ 'sambaAccount' ] ); + $entry->add( 'objectclass' => 'sambaSamAccount' ); - $entry->add( 'sambaSID' => $domsid."-".$entry->get_value( "rid" ) ); - $entry->delete( 'rid' ); + $entry->add( 'sambaSID' => $domsid."-".$entry->get_value( "rid" ) ); + $entry->delete( 'rid' ); - if ( $entry->get_value( "primaryGroupID" ) ) { - $entry->add( 'sambaPrimaryGroupSID' => $domsid."-".$entry->get_value( "primaryGroupID" ) ); - $entry->delete( 'primaryGroupID' ); - } + if ( $entry->get_value( "primaryGroupID" ) ) { + $entry->add( 'sambaPrimaryGroupSID' => $domsid."-".$entry->get_value( "primaryGroupID" ) ); + $entry->delete( 'primaryGroupID' ); + } - foreach $key ( keys %attr_map ) { - if ( $entry->get_value($key) ) { - $entry->add( $attr_map{$key} => $entry->get_value($key) ); - $entry->delete( $key ); + foreach $key ( keys %attr_map ) { + if ( defined($entry->get_value($key)) ) { + $entry->add( $attr_map{$key} => $entry->get_value($key) ); + $entry->delete( $key ); + } + } + } elsif ( defined ( $is_samba_group ) ) { + foreach $key ( keys %group_attr_map ) { + if ( defined($entry->get_value($key)) ) { + $entry->add( $group_attr_map{$key} => $entry->get_value($key) ); + $entry->delete( $key ); + } } } diff --git a/examples/LDAP/export2_smbpasswd.pl b/examples/LDAP/export2_smbpasswd.pl deleted file mode 100644 index 90f5805e55..0000000000 --- a/examples/LDAP/export2_smbpasswd.pl +++ /dev/null @@ -1,64 +0,0 @@ -#!/usr/bin/perl -## -## Example script to export ldap entries into an smbpasswd file format -## using the Mozilla PerLDAP module. -## -## writen by jerry@samba.org -## -## ported to Net::LDAP by dkrovich@slackworks.com - -use Net::LDAP; - -###################################################### -## Set these values to whatever you need for your site -## - -$DN="dc=samba,dc=my-domain,dc=com"; -$ROOTDN="cn=Manager,dc=my-domain,dc=com"; -$rootpw = "secret"; -$LDAPSERVER="localhost"; - -## -## end local site variables -###################################################### - -$ldap = Net::LDAP->new($LDAPSERVER) or die "Unable to connect to LDAP server $LDAPSERVER"; - -print "##\n"; -print "## Autogenerated smbpasswd file via ldapsearch\n"; -print "## from $LDAPSERVER ($DN)\n"; -print "##\n"; - -## scheck for the existence of the posixAccount first -$result = $ldap->search ( base => "$DN", - scope => "sub", - filter => "(objectclass=smbpasswordentry)" - ); - - - -## loop over the entries we found -while ( $entry = $result->shift_entry() ) { - - @uid = $entry->get_value("uid"); - @uidNumber = $entry->get_value("uidNumber"); - @lm_pw = $entry->get_value("lmpassword"); - @nt_pw = $entry->get_value("ntpassword"); - @acct = $entry->get_value("acctFlags"); - @pwdLastSet = $entry->get_value("pwdLastSet"); - - if (($#uid+1) && ($#uidNumber+1)) { - - $lm_pw[0] = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" if (! ($#lm_pw+1)); - $nt_pw[0] = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" if (! ($#nt_pw+1)); - $acct[0] = "[DU ]" if (! ($#acct+1)); - $pwdLastSet[0] = "FFFFFFFF" if (! ($#pwdLastSet+1)); - - print "$uid[0]:$uidNumber[0]:$lm_pw[0]:$nt_pw[0]:$acct[0]:LCT-$pwdLastSet[0]\n"; - } - -} - -$ldap->unbind(); -exit 0; - diff --git a/examples/LDAP/import2_smbpasswd.pl b/examples/LDAP/import2_smbpasswd.pl deleted file mode 100644 index bf643391a7..0000000000 --- a/examples/LDAP/import2_smbpasswd.pl +++ /dev/null @@ -1,108 +0,0 @@ -#!/usr/bin/perl -## -## Example script of how you could import a smbpasswd file into an LDAP -## directory using the Mozilla PerLDAP module. -## -## writen by jerry@samba.org -## -## ported to Net::LDAP by dkrovich@slackworks.com - -use Net::LDAP; - -################################################# -## set these to a value appropriate for your site -## - -$DN="dc=samba,dc=my-domain,dc=com"; -$ROOTDN="cn=Manager,dc=my-domain,dc=com"; -$rootpw = "secret"; -$LDAPSERVER="localhost"; - -## -## end local site variables -################################################# - -$ldap = Net::LDAP->new($LDAPSERVER) or die "Unable to connect to LDAP server $LDAPSERVER"; - -## Bind as $ROOTDN so you can do updates -$mesg = $ldap->bind($ROOTDN, password => $rootpw); - -while ( $string = <STDIN> ) { - chop ($string); - - ## Get the account info from the smbpasswd file - @smbentry = split (/:/, $string); - - ## Check for the existence of a system account - @getpwinfo = getpwnam($smbentry[0]); - if (! @getpwinfo ) { - print STDERR "$smbentry[0] does not have a system account... skipping\n"; - next; - } - - ## check and see if account info already exists in LDAP. - $result = $ldap->search ( base => "$DN", - scope => "sub", - filter => "(&(|(objectclass=posixAccount)(objectclass=smbPasswordEntry))(uid=$smbentry[0]))" - ); - - ## If no LDAP entry exists, create one. - if ( $result->count == 0 ) { - $entry = $ldap->add ( dn => "uid=$smbentry[0]\,$DN", - attrs => [ - uid => $smbentry[0], - uidNumber => @getpwinfo[2], - lmPassword => $smbentry[2], - ntPassword => $smbentry[3], - acctFlags => $smbentry[4], - pwdLastSet => substr($smbentry[5],4), - objectclass => [ 'top', 'smbPasswordEntry' ] - ] - ); - print "Adding [uid=" . $smbentry[0] . "," . $DN . "]\n"; - - ## Otherwise, supplement/update the existing entry. - } elsif ($result->count == 1) { - # Put the search results into an entry object - $entry = $result->shift_entry; - - print "Updating [" . $entry->dn . "]\n"; - - ## Add the objectclass: smbPasswordEntry attribute if it's not there - @values = $entry->get_value( "objectclass" ); - $flag = 1; - foreach $item (@values) { - if ( lc($item) eq "smbpasswordentry" ) { - print $item . "\n"; - $flag = 0; - } - } - if ( $flag ) { - $entry->add(objectclass => "smbPasswordEntry"); - } - - ## Set the other attribute values - $entry->replace(lmPassword => $smbentry[2], - ntPassword => $smbentry[3], - acctFlags => $smbentry[4], - pwdLastSet => substr($smbentry[5],4) - ); - - ## Apply changes to the LDAP server - $updatemesg = $entry->update($ldap); - if ( $updatemesg->code ) { - print "Error updating $smbentry[0]!\n"; - } - - ## If we get here, the LDAP search returned more than one value - ## which shouldn't happen under normal circumstances. - } else { - print STDERR "LDAP search returned more than one entry for $smbentry[0]... skipping!\n"; - next; - } -} - -$ldap->unbind(); -exit 0; - - diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index 3db7094bf2..6e8387f16e 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -132,7 +132,7 @@ # description $ userWorkstations $ primaryGroupID $ domain )) #objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY -# DESC 'Samba Auxilary Account' +# DESC 'Samba Auxiliary Account' # MUST ( uid $ rid ) # MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $ # logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ @@ -276,6 +276,16 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributetype ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' + DESC 'Next NT rid to give out for anything' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase' + DESC 'Base at which the samba RID generation algorithm should operate' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + ####################################################################### ## objectClasses used by Samba 3.0 schema ## @@ -312,6 +322,23 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY ## objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL DESC 'Samba Domain Information' - MUST ( sambaDomainName $ sambaNextGroupRid $ sambaNextUserRid $ - sambaSID ) ) + MUST ( sambaDomainName $ + sambaSID ) + MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ + sambaAlgorithmicRidBase ) ) + +## used for idmap_ldap module +objectclass ( 1.3.6.1.4.1.7165.1.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY + DESC 'Pool for allocating UNIX uids/gids' + MUST ( uidNumber $ gidNumber ) ) + + +objectclass ( 1.3.6.1.4.1.7165.1.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY + DESC 'Mapping from a SID to an ID' + MUST ( sambaSID ) + MAY ( uidNumber $ gidNumber ) ) + +objectclass ( 1.3.6.1.4.1.7165.1.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL + DESC 'Structural Class for a SID' + MUST ( sambaSID ) ) |