summaryrefslogtreecommitdiff
path: root/examples/LDAP
diff options
context:
space:
mode:
Diffstat (limited to 'examples/LDAP')
-rw-r--r--examples/LDAP/README30
-rwxr-xr-xexamples/LDAP/convertSambaAccount56
-rw-r--r--examples/LDAP/export2_smbpasswd.pl64
-rw-r--r--examples/LDAP/import2_smbpasswd.pl108
-rw-r--r--examples/LDAP/samba.schema33
5 files changed, 71 insertions, 220 deletions
diff --git a/examples/LDAP/README b/examples/LDAP/README
index 98d88c091b..c7ff16ad08 100644
--- a/examples/LDAP/README
+++ b/examples/LDAP/README
@@ -4,28 +4,11 @@
!== written by Gerald Carter <jerry@samba.org>
!==
-This is a quick and dirty means of storing smbpasswd entries
-in LDAP. Samba 2.2.x (x >=4) and 3.0 can both store this information
-directly in LDAP, and the schema has *changed*. As such these scripts will
-need modification prior to use.
-
-Be aware of search limits on your client or server which prevent
-all entries from being returned in the search result.
+This is a quick and dirty means of converting smbpasswd entries
+to sambaAccount entriues in an LDAP directory.
Pre-requisites for import_smbpasswd.pl & export_smbpasswd.pl
-------------------------------------------------------------
-You must install Mozilla PerLDAP which is available at:
-
- http://www.mozilla.org/directory
-
-PerLDAP depends on the Netscape (aka iPlanet) C-SDK which is
-available for download at:
-
- http:// www.iplanet.com/downloads/developer/
-
-
-Pre-requisites for import2_smbpasswd.pl & export2_smbpasswd.pl
--------------------------------------------------------------
These two scripts are modified versions of
[import|export]_smbpasswd.pl rewritten to use the Net::LDAP
@@ -35,6 +18,7 @@ perl module available from
+
OpenLDAP 2.0.x
--------------
@@ -67,7 +51,7 @@ You must restart the LDAP server for these new included schema files
to become active.
-import[2]_smbpasswd.pl
+import_smbpasswd.pl
----------------------
Make sure you customize the local site variable in the perl script
@@ -79,17 +63,17 @@ refer to RFC2307 and http://www.padl.com/software.html).
The following will import an smbpasswd file into an LDAP directory
- $ cat smbpasswd | import[2]_smbpasswd.pl
+ $ cat smbpasswd | import_smbpasswd.pl
-export[2]_smbpasswd.pl
+export_smbpasswd.pl
----------------------
Make sure you customize the local site variable in the perl script
(i.e. ldapserver, rootdn, rootpw, etc...). You can then generate
an smbpasswd file by executing
- $ export[2]_smbpasswd.pl > smbpasswd
+ $ export_smbpasswd.pl > smbpasswd
NOTE: Server side (or client side) search limites may prevent
all users from being listed. Check you directory server documentation
diff --git a/examples/LDAP/convertSambaAccount b/examples/LDAP/convertSambaAccount
index f5b49ff095..223c43eada 100755
--- a/examples/LDAP/convertSambaAccount
+++ b/examples/LDAP/convertSambaAccount
@@ -15,8 +15,8 @@ use Net::LDAP::LDIF;
my ( $domain, $domsid );
my ( $ldif, $ldif2 );
my ( $entry, @objclasses, $obj );
-my ( $is_samba_account );
-my ( %attr_map, $key );
+my ( $is_samba_account, $is_samba_group );
+my ( %attr_map, %group_attr_map, $key );
if ( $#ARGV != 2 ) {
print "Usage: convertSambaAccount domain_sid input_ldif output_ldif\n";
@@ -41,6 +41,11 @@ if ( $#ARGV != 2 ) {
acctFlags => 'sambaAcctFlags',
);
+%group_attr_map = (
+ ntSid => 'sambaSID',
+ ntGroupType => 'sambaGroupType',
+);
+
$domsid = $ARGV[0];
$ldif = Net::LDAP::LDIF->new ($ARGV[1], "r")
@@ -65,37 +70,44 @@ while ( !$ldif->eof ) {
##
@objclasses = $entry->get_value( "objectClass" );
undef ( $is_samba_account );
+ undef ( $is_samba_group );
foreach $obj ( @objclasses ) {
if ( "$obj" eq "sambaAccount" ) {
$is_samba_account = 1;
+ } elsif ( "$obj" eq "sambaGroupMapping" ) {
+ $is_samba_group = 1;
}
}
- if ( !defined ( $is_samba_account ) ) {
- $ldif2->write_entry( $entry );
- next;
- }
-
- ##
- ## start editing the sambaAccount
- ##
+ if ( defined ( $is_samba_account ) ) {
+ ##
+ ## start editing the sambaAccount
+ ##
- $entry->delete( 'objectclass' => [ 'sambaAccount' ] );
- $entry->add( 'objectclass' => 'sambaSamAccount' );
+ $entry->delete( 'objectclass' => [ 'sambaAccount' ] );
+ $entry->add( 'objectclass' => 'sambaSamAccount' );
- $entry->add( 'sambaSID' => $domsid."-".$entry->get_value( "rid" ) );
- $entry->delete( 'rid' );
+ $entry->add( 'sambaSID' => $domsid."-".$entry->get_value( "rid" ) );
+ $entry->delete( 'rid' );
- if ( $entry->get_value( "primaryGroupID" ) ) {
- $entry->add( 'sambaPrimaryGroupSID' => $domsid."-".$entry->get_value( "primaryGroupID" ) );
- $entry->delete( 'primaryGroupID' );
- }
+ if ( $entry->get_value( "primaryGroupID" ) ) {
+ $entry->add( 'sambaPrimaryGroupSID' => $domsid."-".$entry->get_value( "primaryGroupID" ) );
+ $entry->delete( 'primaryGroupID' );
+ }
- foreach $key ( keys %attr_map ) {
- if ( $entry->get_value($key) ) {
- $entry->add( $attr_map{$key} => $entry->get_value($key) );
- $entry->delete( $key );
+ foreach $key ( keys %attr_map ) {
+ if ( defined($entry->get_value($key)) ) {
+ $entry->add( $attr_map{$key} => $entry->get_value($key) );
+ $entry->delete( $key );
+ }
+ }
+ } elsif ( defined ( $is_samba_group ) ) {
+ foreach $key ( keys %group_attr_map ) {
+ if ( defined($entry->get_value($key)) ) {
+ $entry->add( $group_attr_map{$key} => $entry->get_value($key) );
+ $entry->delete( $key );
+ }
}
}
diff --git a/examples/LDAP/export2_smbpasswd.pl b/examples/LDAP/export2_smbpasswd.pl
deleted file mode 100644
index 90f5805e55..0000000000
--- a/examples/LDAP/export2_smbpasswd.pl
+++ /dev/null
@@ -1,64 +0,0 @@
-#!/usr/bin/perl
-##
-## Example script to export ldap entries into an smbpasswd file format
-## using the Mozilla PerLDAP module.
-##
-## writen by jerry@samba.org
-##
-## ported to Net::LDAP by dkrovich@slackworks.com
-
-use Net::LDAP;
-
-######################################################
-## Set these values to whatever you need for your site
-##
-
-$DN="dc=samba,dc=my-domain,dc=com";
-$ROOTDN="cn=Manager,dc=my-domain,dc=com";
-$rootpw = "secret";
-$LDAPSERVER="localhost";
-
-##
-## end local site variables
-######################################################
-
-$ldap = Net::LDAP->new($LDAPSERVER) or die "Unable to connect to LDAP server $LDAPSERVER";
-
-print "##\n";
-print "## Autogenerated smbpasswd file via ldapsearch\n";
-print "## from $LDAPSERVER ($DN)\n";
-print "##\n";
-
-## scheck for the existence of the posixAccount first
-$result = $ldap->search ( base => "$DN",
- scope => "sub",
- filter => "(objectclass=smbpasswordentry)"
- );
-
-
-
-## loop over the entries we found
-while ( $entry = $result->shift_entry() ) {
-
- @uid = $entry->get_value("uid");
- @uidNumber = $entry->get_value("uidNumber");
- @lm_pw = $entry->get_value("lmpassword");
- @nt_pw = $entry->get_value("ntpassword");
- @acct = $entry->get_value("acctFlags");
- @pwdLastSet = $entry->get_value("pwdLastSet");
-
- if (($#uid+1) && ($#uidNumber+1)) {
-
- $lm_pw[0] = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" if (! ($#lm_pw+1));
- $nt_pw[0] = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" if (! ($#nt_pw+1));
- $acct[0] = "[DU ]" if (! ($#acct+1));
- $pwdLastSet[0] = "FFFFFFFF" if (! ($#pwdLastSet+1));
-
- print "$uid[0]:$uidNumber[0]:$lm_pw[0]:$nt_pw[0]:$acct[0]:LCT-$pwdLastSet[0]\n";
- }
-
-}
-
-$ldap->unbind();
-exit 0;
-
diff --git a/examples/LDAP/import2_smbpasswd.pl b/examples/LDAP/import2_smbpasswd.pl
deleted file mode 100644
index bf643391a7..0000000000
--- a/examples/LDAP/import2_smbpasswd.pl
+++ /dev/null
@@ -1,108 +0,0 @@
-#!/usr/bin/perl
-##
-## Example script of how you could import a smbpasswd file into an LDAP
-## directory using the Mozilla PerLDAP module.
-##
-## writen by jerry@samba.org
-##
-## ported to Net::LDAP by dkrovich@slackworks.com
-
-use Net::LDAP;
-
-#################################################
-## set these to a value appropriate for your site
-##
-
-$DN="dc=samba,dc=my-domain,dc=com";
-$ROOTDN="cn=Manager,dc=my-domain,dc=com";
-$rootpw = "secret";
-$LDAPSERVER="localhost";
-
-##
-## end local site variables
-#################################################
-
-$ldap = Net::LDAP->new($LDAPSERVER) or die "Unable to connect to LDAP server $LDAPSERVER";
-
-## Bind as $ROOTDN so you can do updates
-$mesg = $ldap->bind($ROOTDN, password => $rootpw);
-
-while ( $string = <STDIN> ) {
- chop ($string);
-
- ## Get the account info from the smbpasswd file
- @smbentry = split (/:/, $string);
-
- ## Check for the existence of a system account
- @getpwinfo = getpwnam($smbentry[0]);
- if (! @getpwinfo ) {
- print STDERR "$smbentry[0] does not have a system account... skipping\n";
- next;
- }
-
- ## check and see if account info already exists in LDAP.
- $result = $ldap->search ( base => "$DN",
- scope => "sub",
- filter => "(&(|(objectclass=posixAccount)(objectclass=smbPasswordEntry))(uid=$smbentry[0]))"
- );
-
- ## If no LDAP entry exists, create one.
- if ( $result->count == 0 ) {
- $entry = $ldap->add ( dn => "uid=$smbentry[0]\,$DN",
- attrs => [
- uid => $smbentry[0],
- uidNumber => @getpwinfo[2],
- lmPassword => $smbentry[2],
- ntPassword => $smbentry[3],
- acctFlags => $smbentry[4],
- pwdLastSet => substr($smbentry[5],4),
- objectclass => [ 'top', 'smbPasswordEntry' ]
- ]
- );
- print "Adding [uid=" . $smbentry[0] . "," . $DN . "]\n";
-
- ## Otherwise, supplement/update the existing entry.
- } elsif ($result->count == 1) {
- # Put the search results into an entry object
- $entry = $result->shift_entry;
-
- print "Updating [" . $entry->dn . "]\n";
-
- ## Add the objectclass: smbPasswordEntry attribute if it's not there
- @values = $entry->get_value( "objectclass" );
- $flag = 1;
- foreach $item (@values) {
- if ( lc($item) eq "smbpasswordentry" ) {
- print $item . "\n";
- $flag = 0;
- }
- }
- if ( $flag ) {
- $entry->add(objectclass => "smbPasswordEntry");
- }
-
- ## Set the other attribute values
- $entry->replace(lmPassword => $smbentry[2],
- ntPassword => $smbentry[3],
- acctFlags => $smbentry[4],
- pwdLastSet => substr($smbentry[5],4)
- );
-
- ## Apply changes to the LDAP server
- $updatemesg = $entry->update($ldap);
- if ( $updatemesg->code ) {
- print "Error updating $smbentry[0]!\n";
- }
-
- ## If we get here, the LDAP search returned more than one value
- ## which shouldn't happen under normal circumstances.
- } else {
- print STDERR "LDAP search returned more than one entry for $smbentry[0]... skipping!\n";
- next;
- }
-}
-
-$ldap->unbind();
-exit 0;
-
-
diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema
index 3db7094bf2..6e8387f16e 100644
--- a/examples/LDAP/samba.schema
+++ b/examples/LDAP/samba.schema
@@ -132,7 +132,7 @@
# description $ userWorkstations $ primaryGroupID $ domain ))
#objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY
-# DESC 'Samba Auxilary Account'
+# DESC 'Samba Auxiliary Account'
# MUST ( uid $ rid )
# MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
# logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $
@@ -276,6 +276,16 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributetype ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid'
+ DESC 'Next NT rid to give out for anything'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase'
+ DESC 'Base at which the samba RID generation algorithm should operate'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
#######################################################################
## objectClasses used by Samba 3.0 schema ##
@@ -312,6 +322,23 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY
##
objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL
DESC 'Samba Domain Information'
- MUST ( sambaDomainName $ sambaNextGroupRid $ sambaNextUserRid $
- sambaSID ) )
+ MUST ( sambaDomainName $
+ sambaSID )
+ MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $
+ sambaAlgorithmicRidBase ) )
+
+## used for idmap_ldap module
+objectclass ( 1.3.6.1.4.1.7165.1.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY
+ DESC 'Pool for allocating UNIX uids/gids'
+ MUST ( uidNumber $ gidNumber ) )
+
+
+objectclass ( 1.3.6.1.4.1.7165.1.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY
+ DESC 'Mapping from a SID to an ID'
+ MUST ( sambaSID )
+ MAY ( uidNumber $ gidNumber ) )
+
+objectclass ( 1.3.6.1.4.1.7165.1.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL
+ DESC 'Structural Class for a SID'
+ MUST ( sambaSID ) )