Samba-PDC LDAP (AD) schemas

20010421.04

Ignacio Coupeau
CTI, University of Navarra

Draft working paper...

Main sections

Sources

Samba TNG, HEAD source code
OpenLdap 2.0.3 schemas
Windows 2000 Active Directory; Alistair G. Lowe-Norris; O'Rreilly
Active Directory Services for Windows 2000, Technical Reference; David Iseminger; Microsoft Press.
Several ADSI Microsoft technical docs and tools (ldifde and ldp ).
Active Directory Architecture
Several drafts about Microsoft and kerberosattribute syntax.
Several old msdn documents about Active Diectory schema and the access control/domain for users and groups.
Yahoo search: +MSDN +"attribute details" +<attribute_name>

Notes

The only Unix atribute stored should be te uid (AD's name attribute). The pwent stuff should be fetched by uid from the unix side (getpw* via passwd or pam: RFC2307).
In the ldap v.3 schemas, the syntax "SUP <AttributeType>" in the object definition means derived from this other AttributeType.

Proposed Samba-AD schemas (ldap v.3) [toc]

This section is the result of comparation between the TNG code, the schemas proposed in the lists, the Microsoft schemas supplied with the OpenLdap v2 code (2.0.3 version), the AD docs and the ldifs files extracted from a real AD domain and a lot of good ideas from Alistair G. Lowe-Norris' and Adam Woods' books may be the key.Primary I going to follow the Adam's book schemas and the MS' lde utility.
Please keep in mind that MS follows the X500's objects and syntax, but modified... For example, the MS computer object tree may be like this:

Top
|
person
|
organizationalPerson
|
User
|
Computer

The only problem is that the "Top" class has a NAME like the official 2.5.6.0 X500' "top", but has been redefined with a lot of common attributes to the downstairs objects (User, Computer and so).

Microsoft's Top from AD (from ADSI Edit) X500 (cosine, core) top. OID: 2.5.6.0

NAME 'Top'
SUP top
ABSTRACT
MUST
cn
defaultObjectCategory
governsID
instanceType
objectCategory
objectClass
objectClassCategory
schemaIDGUID
subClassOf
MAY
adminDescription
adminDisplayName
allowedAttributes
...
canonicalName
..
createTimeStamp
description
displayName
displayNamePrintable
dSCorePropagationData
.. # Standard object classes from RFC2256
objectclass ( 2.5.6.0 NAME 'top' ABSTRACT
MUST objectClass )

As the top OID:2.5.6.0 is an required attribute for every ldap server, the AD schema redefinition may:

ignore the MS "Top" redefinition and overcharge the derived objects
define a new ojectClass like top_ms or so.

The schema I suggest for the moment follows the option#1. Bellow I'm working a bit in the MS Top Schema.

The red attributes/objects are mised attributes/objects that must be definied/incorporated. The blue attributes/objects are really used in the AD extracted, but this not implies that only the blue attributes/objects are required in the new schemas.
The only attribute I can't found is the changetype (<add|??>).

Objecs required in mixed mode
Additional bjects required for native mode (only W2k)

Note: I need browse in a lot of objects, so these tables are in progress.

ObjectClass (mixed) Attrs

top Definition from schema/core.schema
objectclass ( 2.5.6.0 NAME 'top' ABSTRACT
MUST objectClass )

Top Microsoft extends the X500 top class in a bit: I'm very puzzled...
objectclass: 2.5.6.0 NAME 'Top'
SUP top
ABSTRACT
MUST
cn
defaultObjectCategory
governsID
instanceType
objectCategory
objectClass
objectClassCategory
schemaIDGUID
subClassOf
MAY
adminDescription
adminDisplayName
allowedAttributes
...
canonicalName
..
createTimeStamp
description
displayName
displayNamePrintable
dSCorePropagationData

user objectclass 1.2.840.113556.1.5.9
NAME 'user'
SUP organizationalPerson
STRUCTURAL
MUST
objectSid
cn
MAY
accountExpires $
aCSPolicyName $
adminCount $
badPasswordTime $
badPwdCount $
changetype$
codePage $
controlAccessRights $
countryCode$
dBCSPwd $
defaultClassStore $
description $
desktopProfile $
dynamicLDAPServer
displayName$
distinguishedName$
givenName$
groupMembershipSAM $
groupPriority
groupsToIgnore
homeDirectory $
homeDrive $
instanceType$
lastLogoff $
lastLogon $
lmPwdHistory $
localeID $
lockoutTime $
logonCount $
logonHours $
logonWorkstation $
maxStorage $
memberOf $
msRAS*
msRADIUS*
msNP*
mS*
name $
ntPwdHistory $
netWorkAddress
objectCategory$
objectGUID$
operatorCount $
otherLoginWorkstations $
preferredOU $
primaryGroupID $
profilePath $
pwdLastSet $
sAMAccountName $
sAMAccountType $
scriptPath $
servicePrincipalName $
terminalServer
unicodePwd $
userAccountControl $
userCertificate
userParameters
userPrincipalName $
userSharedFolder $
userSharedFolderOther
userSharedFolderOther $
userWorkstations $
uSNChanged $
uSNCreated $
whenCreated $
whenChanged

computer Definition attributes comes from schema/microsoft.schema
objectclass: 1.2.840.113556.1.3.30
NAME 'computer'
SUP user
STRUCTURAL
MAY
description $
dNSHostName $
isCriticalSystemObject $
localPolicyFlags $
machineRole $
operatingSystem $
operatingSystemHotfix $
operatingSystemServicePack $
operatingSystemVersion $
physicalLocationObject $
rIDSetReferences $
volumeCount

group Attributes definition comes from schema/microsoft.schema
objectclass: 1.2.840.113556.1.5.8
NAME 'group'
SUP top
STRUCTURAL
MUST
groupType
cn
MAY
adminCount $
changetype $
controlAccessRights $
description $
distinguishedName $
instanceType $
isCriticalSystemObject $
member $
name $
groupType $
showInAdvancedViewOnly $
systemFlags $
objectCategory $
objectGUID
objectSid
sAMAccountName
sAMAccountType
uSNChanged
uSNCreated
whenChanged
whenCreated
Take care: the old member syntax:<member_id>,<rid>,<class> is not compatible with the core/cosine "member". I think the "," is not allowed in member.

rIDSet example:
dn: CN=RID Set,CN=TEST-W2K,OU=Domain Controllers,DC=ad,DC=cti,DC=unav,DC=es
rIDAllocationPool: 6867652707404
rIDNextRID: 1105
rIDPreviousAllocationPool: 6867652707404
rIDUsedPool: 0
objectclass: 1.2.840.113556.1.5.129
NAME 'rIDSet'
SUP top
STRUCTURAL
MUST
cn $
rIDAllocationPool
rIDPreviousAllocationPool $
rIDUsedPool $
rIDNextRID
MAY
instanceType $
distinguishedName $
objectCategory $
objectGUID $
nameshowInAdvancedViewOnly $
uSNChanged $
uSNCreated $
whenChanged $
whenCreated $
changetype

rIDManager example: dn: CN=RID Manager$,CN=System,DC=ad,DC=cti,DC=unav,DC=es
rIDAvailablePool: 4611686014132422208

objectclass: 1.2.840.113556.1.5.83
NAME 'rIDManager'
SUP top
STRUCTURAL
MUST (rIDAvailablePool )
MAY (
changetype $
cn $
fSMORoleOwner $
instanceType $
isCriticalSystemObject $
distinguishedName $
objectCategory $
objectGUID $
name $
showInAdvancedViewOnly $
systemFlags $
uSNChanged $
uSNCreated $
whenChanged $
whenCreated ) )

[toc]

ObjectClass (native) Attrs

domainDNS example: dn: DC=ad,DC=cti,DC=unav,DC=es
changetype
masteredBy
auditingPolicy
creationTime
dc
forceLogoff
fSMORoleOwner
gPLink
instanceType
isCriticalSystemObject
lockOutObservationWindow
lockoutDuration
lockoutThreshold
maxPwdAge
minPwdAge
minPwdLength
modifiedCount
modifiedCountAtLastProm
ms-DS-MachineAccountQuota
nextRid
nTMixedDomain
distinguishedName
objectCategory
objectClass
objectGUID
objectSid
pwdHistoryLength
pwdProperties
name
rIDManagerReference
serverState
subRefs
systemFlags
uASCompat
uSNChanged
uSNCreated
wellKnownObjects (n)
whenChanged
whenCreated

objectclass ( 1.2.840.113556.1.5.67
        NAME 'domainDNS'
        SUP domain
        STRUCTURAL
        MAY (managedBy ) )

foreingSecurityPrincipal example: dn: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=ad,DC=cti,DC=unav,DC=es
changetype
memberOf
cn
instanceType
distinguishedName
objectCategory
objectClass
objectGUID
objectSid
name
showInAdvancedViewOnly
uSNChanged
uSNCreated
whenChanged
whenCreated

leaf Definition from schema/microsoft.schema
objectclass ( 1.2.840.113556.1.5.20
        NAME 'leaf'
        SUP top
        ABSTRACT )

connectionPoint Definition from schema/microsoft.schema
objectclass ( 1.2.840.113556.1.5.14
        NAME 'connectionPoint'
        SUP leaf
        ABSTRACT
        MUST (cn )
        MAY (keywords $ managedBy ) )

volume example:dn: CN=pcymac,OU=Domain Controllers,DC=ad,DC=cti,DC=unav,DC=es
changetype
cn
instanceType
distinguishedName
objectCategory
objectClass
objectGUID
name
uNCName
uSNChanged
uSNCreated
whenChanged

printQueue objectclass: 1.2.840.113556.1.5.23
NAME 'printQueue'
SUP connectionPoint
STRUCTURAL
MUST
uNCName $
versionNumber $
serverName $
printerName $
shortServerName
MAY
assetNumber $
bytesPerMinute $
changetype $
defaultPriority $
distinguishedName $
driverName $
driverVersion $
instanceType $
location $
name $
objectCategory $
objectClass $
objectGUID $
operatingSystem $
operatingSystemHotfix $
operatingSystemServicePack $
operatingSystemVersion $
physicalLocationObject $
portName $
printAttributes $
printBinNames $
printCollate $
printColor $
printDuplexSupported $
printEndTime $
printFormName $
printKeepPrintedJobs $
printLanguage $
printMACAddress $
printMaxCopies $
printMaxResolutionSupported $
printMaxXExtent $
printMaxYExtent $
printMediaReady $
printMediaSupported $
printMemory $
printMinXExtent $
printMinYExtent $
printNetworkAddress $
printNotify $
printNumberUp $
printOrientationsSupported $
printOwner $
printPagesPerMinute $
printRate $
printRateUnit $
printSeparatorFile $
printShareName $
printSpooling $
printStaplingSupported $
printStartTime $
printStatus $
priority $
uSNChanged $
uSNCreated $
whenChanged $
whenCreated

container dn
changetype
cn
description
instanceType
isCriticalSystemObject
distinguishedName
objectCategory
objectClass
objectGUID
name
showInAdvancedViewOnly
systemFlags
uSNChanged
uSNCreated
whenChanged
whenCreated

foreinSecurityPrincipal example: dn: CN=S-1-5-4,CN=ForeignSecurityPrincipals,DC=ad,DC=cti,DC=unav,DC=es
changetype
memberOf
cn
instanceType
distinguishedName
objectCategory
objectClass
objectGUID
objectSid
name
showInAdvancedViewOnly
uSNChanged
uSNCreated
whenChanged
whenCreated

builtinDomain example: dn: CN=Builtin,DC=ad,DC=cti,DC=unav,DC=es
changetype
cn
creationTime
forceLogoff
instanceType
isCriticalSystemObject
lockOutObservationWindow
lockoutDuration
lockoutThreshold
maxPwdAge
minPwdAge
minPwdLength
modifiedCount
modifiedCountAtLastProm
nextRid
distinguishedName
objectCategory
objectClass
objectGUID
objectSid
pwdHistoryLength
pwdProperties
name
serverState
showInAdvancedViewOnly
systemFlags
uASCompat
uSNChanged
uSNCreated
whenChanged
whenCreated
objectclass ( 1.2.840.113556.1.5.4
        NAME 'builtinDomain'
        SUP top
        STRUCTURAL )

organizationalUnit example: dn: OU=Domain Controllers,DC=ad,DC=cti,DC=unav,DC=es
changetype
description
gPLinkinstanceType
isCriticalSystemObject
distinguishedName
objectCategory
objectClass
objectGUID
ou
name
showInAdvancedViewOnly
systemFlags
uSNChanged
uSNCreated
whenChanged
whenCreated

nTFRSSubscriptions example: dn: CN=NTFRS Subscriptions,CN=TEST-W2K,OU=Domain Controllers,DC=ad,DC=cti,DC=unav,DC=es
changetype
cn
fRSWorkingPath: c:\winnt\ntfrs
instanceType
distinguishedName
objectCategory
objectClass
objectGUID
name
showInAdvancedViewOnly
uSNChanged
uSNCreated
whenChanged
whenCreated

nTFRSSubscriber example: dn: CN=Domain System Volume (SYSVOL share),CN=NTFRS Subscriptions,CN=TEST-W2K,OU=Domain
Controllers,DC=ad,DC=cti,DC=unav,DC=es
changetype
fRSMemberReference
cn
fRSRootPath
fRSStagingPath
instanceType
distinguishedName
objectCategory
objectClass
objectGUID
name
showInAdvancedViewOnly
uSNChanged
uSNCreated
whenChanged
whenCreated

nTFRSSettings example: dn: CN=File Replication Service,CN=System,DC=ad,DC=cti,DC=unav,DC=es
changetype
cn
instanceType
isCriticalSystemObject
distinguishedName
objectCategory
objectClass
objectGUID
name
showInAdvancedViewOnly
systemFlags
uSNChanged
uSNCreated
whenChanged
whenCreated

nTFRSReplicaSet example: dn: CN=Domain System Volume (SYSVOL share),CN=File Replication
Service,CN=System,DC=ad,DC=cti,DC=unav,DC=es
changetype
fRSPrimaryMember
cn
fRSFileFilter: *.tmp, *.bak, ~*
fRSReplicaSetGUID
fRSReplicaSetType
fRSVersionGUID
instanceType
distinguishedName
objectCategory
objectClass
objectGUID
name
showInAdvancedViewOnly
uSNChanged
uSNCreated
whenChanged
whenCreated

nTFRSMember example: dn: CN=TEST-W2K,CN=Domain System Volume (SYSVOL share),CN=File Replication
Service,CN=System,DC=ad,DC=cti,DC=unav,DC=es
changetype
serverReference
frsComputerReference
fRSMemberReferenceBL
cn
instanceType
distinguishedName
objectCategory
objectClass
objectGUID
name
showInAdvancedViewOnly
uSNChanged
uSNCreated
whenChanged
whenCreated

rpcContainer example: dn: CN=RpcServices,CN=System,DC=ad,DC=cti,DC=unav,DC=es
changetype
cn
instanceType
isCriticalSystemObject
distinguishedName
objectCategory
objectClass
objectGUID
name
showInAdvancedViewOnly
systemFlags
uSNChanged
uSNCreated
whenChanged
whenCreated

fileLinkTracking example: dn: CN=FileLinks,CN=System,DC=ad,DC=cti,DC=unav,DC=es
changetype
cn
instanceType
isCriticalSystemObject
distinguishedName
objectCategory
objectClass
objectGUID
names
showInAdvancedViewOnly
systemFlags
uSNChanged
uSNCreated
whenChanged
whenCreated

linkTrackVolumeTable example: dn: CN=VolumeTable,CN=FileLinks,CN=System,DC=ad,DC=cti,DC=unav,DC=es
changetype
cn
instanceType
isCriticalSystemObject
distinguishedName
bjectCategory
objectClass
objectGUID
name
showInAdvancedViewOnly
systemFlags
uSNChanged
uSNCreated
whenChanged
whenCreated

linkTrackVolEntry example: dn:
CN=8D895862F3474B2EA0B5667F51655E3D,CN=VolumeTable,CN=FileLinks,CN=System,DC=ad,DC=cti,DC=unav,DC=es
changetype:
cn
instanceType
linkTrackSecret
distinguishedName
objectCategory
objectClass
objectGUID
name
seqNotification
showInAdvancedViewOnly
timeRefresh
timeVolChange
uSNChanged
uSNCreated
volTableIdxGUID
whenChanged
whenCreated

linkTrackVolEntry example: dn: CN=QT_Counter,CN=VolumeTable,CN=FileLinks,CN=System,DC=ad,DC=cti,DC=unav,DC=es
changetype
cn
instanceType
linkTrackSecret
distinguishedName
objectCategory
objectClass
objectGUID
name
showInAdvancedViewOnly
uSNChanged
uSNCreated
whenChanged
whenCreated

linkTrackObjectMoveTable example: dn: CN=ObjectMoveTable,CN=FileLinks,CN=System,DC=ad,DC=cti,DC=unav,DC=es
changetype
cn
instanceType
isCriticalSystemObject
distinguishedName
objectCategory
objectClass
objectGUID
name
showInAdvancedViewOnly
systemFlags
uSNChanged
uSNCreated
whenChanged
whenCreated

domainPolicy example: dn: CN=Default Domain Policy,CN=System,DC=ad,DC=cti,DC=unav,DC=es
changetype
cn
instanceType
isCriticalSystemObject:
distinguishedName
objectCategory
objectClass
objectGUID
name
showInAdvancedViewOnly
uSNChanged
uSNCreated
whenChanged
whenCreated

example: dn: CN=AppCategories,CN=Default Domain Policy,CN=System,DC=ad,DC=cti,DC=unav,DC=es
changetype
cn
instanceType
isCriticalSystemObject
distinguishedName
objectCategory
objectClass
objectGUID
name
showInAdvancedViewOnly
uSNChanged
uSNCreated
whenChanged
whenCreated

groupPolicyContainer example: dn:
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=ad,DC=cti,DC=unav,DC=es
changetype
cn
displayName:
flags
gPCFileSysPath
gPCFunctionalityVersion: 2
gPCMachineExtensionNames
gPCUserExtensionNames
instanceType
isCriticalSystemObject
distinguishedName
objectCategory
objectClass
objectGUID
name
showInAdvancedViewOnly
systemFlags
uSNChanged
uSNCreated
versionNumber
whenChanged
whenCreated

dfsConfiguration example: dn: CN=Dfs-Configuration,CN=System,DC=ad,DC=cti,DC=unav,DC=es
changetype
cn
instanceType
isCriticalSystemObject:
distinguishedName
objectCategory
objectClass
objectGUID
name
showInAdvancedViewOnly
uSNChanged
uSNCreated
whenChanged
whenCreated

ipsecPolicy example: dn: CN=ipsecPolicy{72385230-70FA-11D1-864C-14A300000000},CN=IP
Security,CN=System,DC=ad,DC=cti,DC=unav,DC=es
changetype
cn
description
instanceType
ipsecData
ipsecDataType:
ipsecID
ipsecISAKMPReference
ipsecName
ipsecNFAReference
ipsecNFAReference
ipsecNFAReference
isCriticalSystemObject
distinguishedName
objectCategory
objectClass
objectGUID
name
showInAdvancedViewOnly
uSNChanged
uSNCreated
whenChanged
whenCreated

ipsecISAKMPPolicy example: dn: CN=ipsecISAKMPPolicy{72385231-70FA-11D1-864C-14A300000000},CN=IP
Security,CN=System,DC=ad,DC=cti,DC=unav,DC=es
changetype
cn
instanceType
ipsecData
ipsecDataType
ipsecID
ipsecOwnersReference
isCriticalSystemObject
distinguishedName
objectCategory
objectClass
objectGUID
name
showInAdvancedViewOnly
uSNChanged
uSNCreated
whenChanged
whenCreated

ipsecNFA example: dn: CN=ipsecNFA{72385232-70FA-11D1-864C-14A300000000},CN=IP
Security,CN=System,DC=ad,DC=cti,DC=unav,DC=es
changetype
cn
description
instanceType
ipsecData
ipsecDataType
ipsecFilterReference
ipsecID
ipsecName
ipsecNegotiationPolicyReference
ipsecOwnersReference
isCriticalSystemObject
distinguishedName
objectCategory
objectClass
objectGUID
name
showInAdvancedViewOnly
uSNChanged
uSNCreated
whenChanged
whenCreated

ipsecNegotiationPolicy example: dn: CN=ipsecNegotiationPolicy{72385233-70FA-11D1-864C-14A300000000},CN=IP
Security,CN=System,DC=ad,DC=cti,DC=unav,DC=es
changetype:
cn
description:
Accepts unsecured communication, but requests clients to establish trust and s
ecurity methods. Will communicate insecurely to untrusted clients if they do
not respond to request.
instanceType
ipsecData
ipsecDataType
ipsecID
ipsecName
iPSECNegotiationPolicyAction
iPSECNegotiationPolicyType
ipsecOwnersReference
isCriticalSystemObject
distinguishedName
objectCategory
objectClass
objectGUID
name
showInAdvancedViewOnly
uSNChanged
uSNCreated
whenChanged
whenCreated

ipsecFilter example: dn: CN=ipsecFilter{7238523A-70FA-11D1-864C-14A300000000},CN=IP
Security,CN=System,DC=ad,DC=cti,DC=unav,DC=es
changetype
cn
description:
Matches all IP packets from this computer to any other computer, except broadc
ast, multicast, Kerberos, RSVP and ISAKMP (IKE).
instanceType
ipsecData
ipsecDataType
ipsecID
ipsecName
ipsecOwnersReference
ipsecOwnersReference
isCriticalSystemObject
distinguishedName
objectCategory
objectClass
objectGUID
name
showInAdvancedViewOnly
uSNChanged
uSNCreated
whenChanged
whenCreated

samServer example: dn: CN=Server,CN=System,DC=ad,DC=cti,DC=unav,DC=es
changetype
cn:
instanceType
isCriticalSystemObject
distinguishedName
objectCategory
objectClass
objectGUID
name
revision
showInAdvancedViewOnly
uSNChanged
uSNCreated
whenChanged
whenCreated

dnsNode example: dn: DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=ad,DC=cti,DC=unav,DC=es
changetype
dnsRecord (n)
dc
instanceType
distinguishedName
objectCategory
objectClass
objectGUID
name
showInAdvancedViewOnly
uSNChanged
uSNCreated
whenChanged
whenCreated

dnsZone example: dn: DC=ad.cti.unav.es,CN=MicrosoftDNS,CN=System,DC=ad,DC=cti,DC=unav,DC=es
changetype
cn
dNSProperty (n)
dc
instanceType
distinguishedName
objectCategory
objectClass
objectGUID
name
showInAdvancedViewOnly
uSNChanged
uSNCreated
whenChanged
whenCreated

secret example: dn: CN=BCKUPKEY_616a3253-eed4-4a49-a2ee-d1375204ad7d Secret,CN=System,DC=ad,DC=cti,DC=unav,DC
=es
changetype
cn
instanceType
isCriticalSystemObject
lastSetTime
distinguishedName
objectCategory
objectClass
objectGUID
priorSetTime
name
showInAdvancedViewOnly
uSNChanged
uSNCreated
whenChanged
whenCreated

lostAndFound example: dn: CN=LostAndFound,DC=ad,DC=cti,DC=unav,DC=es
changetype
cn
description: Default container for orphaned objects
instanceType
isCriticalSystemObject
distinguishedName
objectCategory
objectClass
objectGUID
name
showInAdvancedViewOnly
systemFlags:
uSNChanged
uSNCreated
whenChanged
whenCreated

infrastructureUpdate example: dn: CN=Infrastructure,DC=ad,DC=cti,DC=unav,DC=es
changetype
cn
fSMORoleOwner
instanceType
isCriticalSystemObject
distinguishedName
objectCategory
objectClass
objectGUID
name
showInAdvancedViewOnly
systemFlags
uSNChanged
uSNCreated
whenChanged
whenCreated

The image from ldp.exe:

Attribute definition and OpenLdap 2.0.x configuration files [toc]

These section is only a draft for working: is not operational

Please, note that you must replace our OID (1.3.6.1.4.1.7114)with your OID. The Samba Oficial OID is the 7165. At this moment, I
wrote the mine because this schema is only a draft ;-)

schema file
slapd.conf file

The example asummes that the path is: /usr/local/etc2/openldap/etc/openldap/

Schema file

I don't know if the Microsoft's attribute list is official; I found it in the schema directory in the OpenLdap distribution.
If you copy/paste the list, remember that the space after $ and ) simbols are required.

I'm working in the SYNTAX from Microsoft about things like:
/usr/local/etc2/openldap/etc/openldap/schema/samba.schema: line 61: OID '1.2.840.113556.1.4.906' not found:

Large-Integer: 1.2.840.113556.1.4.906
Encoded as an Integer (OID 1.3.6.1.4.1.1466.115.121.1.27), but guaranteed
to support 64 bit numbers.

In openldap 2.0.x distribution save it as schema/samba.schema

------------------- snip ---------------------

# req. core   (uid, dc, etc).
#    2.5.4.41 NAME 'name'
#    2.5.4.42 NAME ( 'givenName' 'gn' ) SUP name
#    2.5.4.49 NAME 'distinguishedName'
#    2.5.4.13 NAME 'description'
#    2.5.4.3 NAME ( 'cn' 'commonName' ) SUP name
#
# req. cosine (organization)
#

# mistery section attributes
attributetype ( 1.3.6.1.4.1.7114.2.1.10 NAME 'changetype'
        DESC 'AD ubiquitous changetype attribute'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} SINGLE-VALUE )

# Microsoft attributes
#
# Here follows definitions from schema/microsoft.schema
# if you don't have the file o dont like the OIDs or so,
# you MUST copy and paste this list attribute definition:
#
# SYNTAX changes:
#
# Large-Integer: 1.3.6.1.4.1.1466.115.121.1.27
# Encoded as an Integer (OID 1.3.6.1.4.1.1466.115.121.1.27), but guaranteed
# to support 64 bit numbers.

# user attrs

attributetype ( 1.2.840.113556.1.4.8 NAME 'userAccountControl'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.166
        NAME 'groupMembershipSAM'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.213
NAME 'defaultClassStore'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )

attributetype ( 1.2.840.113556.1.4.656
        NAME 'userPrincipalName'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.86
        NAME 'userWorkstations'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.65
        NAME 'logonWorkstation'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.751
        NAME 'userSharedFolder'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.49
        NAME 'badPasswordTime'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.302
        NAME 'sAMAccountType'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.98
        NAME 'primaryGroupID'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.159
        NAME 'accountExpires'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.346
        NAME 'desktopProfile'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.782
        NAME 'objectCategory'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.221
        NAME 'sAMAccountName'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.144
        NAME 'operatorCount'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.44
        NAME 'homeDirectory'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.772
        NAME 'aCSPolicyName'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.94
NAME 'ntPwdHistory'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )

attributetype ( 1.2.840.113556.1.4.160
NAME 'lmPwdHistory'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )

attributetype ( 1.2.840.113556.1.2.1
        NAME 'instanceType'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE
        NO-USER-MODIFICATION )

attributetype ( 1.2.840.113556.1.4.97
        NAME 'preferredOU'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.662
        NAME 'lockoutTime'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.25
        NAME 'countryCode'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.139
        NAME 'profilePath'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.12
        NAME 'badPwdCount'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.2.13
        NAME 'displayName'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.2.3
        NAME 'whenChanged'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.2.19
        NAME 'uSNCreated'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.64
        NAME 'logonHours'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.96
        NAME 'pwdLastSet'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.169
        NAME 'logonCount'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.90
        NAME 'unicodePwd'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.62
        NAME 'scriptPath'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.76
        NAME 'maxStorage'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.51
        NAME 'lastLogoff'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.2.120
        NAME 'uSNChanged'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.2
        NAME 'objectGUID'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.52
        NAME 'lastLogon'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.45
        NAME 'homeDrive'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.2.102
        NAME 'memberOf'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
        NO-USER-MODIFICATION )

attributetype ( 1.2.840.113556.1.4.58
NAME 'localeID'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )

attributetype ( 1.2.840.113556.1.4.16
        NAME 'codePage'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.55
        NAME 'dBCSPwd'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.91
NAME 'otherLoginWorkstations'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( 1.2.840.113556.1.4.752
NAME 'userSharedFolderOther'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( 1.2.840.113556.1.2.353
        NAME 'displayNamePrintable'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.44
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.771
NAME 'servicePrincipalName'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( 1.2.840.113556.1.4.200
NAME 'controlAccessRights'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )

# computer attrs
attributetype ( 1.2.840.113556.1.4.669
        NAME 'rIDSetReferences'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
        NO-USER-MODIFICATION )

attributetype ( 1.2.840.113556.1.4.56
        NAME 'localPolicyFlags'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.363
        NAME 'operatingSystem'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.507
        NAME 'volumeCount'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.619
        NAME 'dNSHostName'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.71
        NAME 'machineRole'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.365
        NAME 'operatingSystemServicePack'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.364
        NAME 'operatingSystemVersion'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.868
        NAME 'isCriticalSystemObject'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.514
        NAME 'physicalLocationObject'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.415
        NAME 'operatingSystemHotfix'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.2.2
        NAME 'whenCreated'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
        SINGLE-VALUE
        NO-USER-MODIFICATION )

# group attrs
attributetype ( 1.2.840.113556.1.4.375
        NAME 'systemFlags'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE
        NO-USER-MODIFICATION )

attributetype ( 1.2.840.113556.1.4.150
        NAME 'adminCount'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.750
        NAME 'groupType'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.146
        NAME 'objectSid'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.2.169
        NAME 'showInAdvancedViewOnly'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
        SINGLE-VALUE )

# ridSet attrs
attributetype ( 1.2.840.113556.1.4.371
        NAME 'rIDAllocationPool'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE
        NO-USER-MODIFICATION )

attributetype ( 1.2.840.113556.1.4.373
        NAME 'rIDUsedPool'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE
        NO-USER-MODIFICATION )

attributetype ( 1.2.840.113556.1.4.372
        NAME 'rIDPreviousAllocationPool'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE
        NO-USER-MODIFICATION )

attributetype ( 1.2.840.113556.1.4.374
        NAME 'rIDNextRID'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE
        NO-USER-MODIFICATION )

# ridManager attrs
attributetype ( 1.2.840.113556.1.4.370
        NAME 'rIDAvailablePool'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.4.369
        NAME 'fSMORoleOwner'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
        SINGLE-VALUE )

# objectClass defs

objectclass ( 1.3.6.1.4.1.7114.2.2.10
    NAME 'user'
    SUP organizationalPerson
    STRUCTURAL
    MUST ( objectSid $ objectClass $ cn )
    MAY (
        accountExpires $
        aCSPolicyName $
        adminCount $
        badPasswordTime $
        badPwdCount $
        changetype $
        codePage $
        controlAccessRights $
        countryCode $
        dBCSPwd $
        defaultClassStore $
        description $
        desktopProfile $
        displayName $
        distinguishedName $
        givenName $
        groupMembershipSAM $
        homeDirectory $
        homeDrive $
        instanceType $
        lastLogoff $
        lastLogon $
        lmPwdHistory $
        localeID $
        lockoutTime $
        logonCount $
        logonHours $
        logonWorkstation $
        maxStorage $
        memberOf $
        name $
        ntPwdHistory $
        objectCategory $
        objectGUID $
        operatorCount $
        otherLoginWorkstations $
        preferredOU $
        primaryGroupID $
        profilePath $
        pwdLastSet $
        sAMAccountName $
        sAMAccountType $
        scriptPath $
        servicePrincipalName $
        unicodePwd $
        userAccountControl $
        userPrincipalName $
        userSharedFolder $
        userSharedFolderOther $
        userWorkstations $
        uSNChanged $
        uSNCreated $
        whenChanged $
        whenCreated ) )

objectclass ( 1.3.6.1.4.1.7114.2.2.11
    NAME 'computer'
    SUP user
    STRUCTURAL
    MAY (
        description $
        dNSHostName $
        isCriticalSystemObject $
        localPolicyFlags $
        machineRole $
        operatingSystem $
        operatingSystemHotfix $
        operatingSystemServicePack $
        operatingSystemVersion $
        physicalLocationObject $
        rIDSetReferences $
        volumeCount ) )

objectclass ( 1.3.6.1.4.1.7114.2.2.12
    NAME 'group'
    SUP top
    STRUCTURAL
    MUST (groupType $ cn )
    MAY (
        adminCount $
        changetype $
        controlAccessRights $
        description $
        distinguishedName $
        instanceType $
        isCriticalSystemObject $
        member $
        name $
        groupType $
        showInAdvancedViewOnly $
        systemFlags $
        objectCategory $
        objectGUID $
        objectSid $
        sAMAccountName $
        sAMAccountType $
        uSNChanged $
        uSNCreated $
        whenChanged $
        whenCreated ) )

objectclass ( 1.3.6.1.4.1.7114.2.2.13
    NAME 'rIDManager'
    SUP top
    STRUCTURAL
    MUST (rIDAvailablePool )
    MAY (
        changetype $
        cn $
        fSMORoleOwner $
        instanceType $
        isCriticalSystemObject $
        distinguishedName $
        objectCategory $
        objectGUID $
        name $
        showInAdvancedViewOnly $
        systemFlags $
        uSNChanged $
        uSNCreated $
        whenChanged $
        whenCreated ) )

objectclass ( 1.3.6.1.4.1.7114.2.2.14
    NAME 'rIDSet'
    SUP top
    STRUCTURAL
    MUST (
        cn $
        rIDAllocationPool $
        rIDPreviousAllocationPool $
        rIDUsedPool $
        rIDNextRID )
    MAY (
        instanceType $
        distinguishedName $
        objectCategory $
        objectGUID $
        name $
        showInAdvancedViewOnly $
        uSNChanged $
        uSNCreated $
        whenChanged $
        whenCreated $
        changetype ) )

------------------- snip ---------------------

slapd.conf file [toc]

------------------- snip ---------------------
# include schema
include         /usr/local/etc/openldap_2/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap_2/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap_2/etc/openldap/schema/samba.schema
schemacheck     on

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://bilbo.cti.unav.es

pidfile /usr/local/etc/openldap_2/var/slapd.pid
argsfile /usr/local/etc/openldap_2/var/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/local/etc/openldap_2/libexec/openldap
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la

#######################################################################
# ldbm database definitions
#######################################################################
#
# UNAV SMB
#
database        ldbm
suffix          "dc=samba, dc=unav, dc=es"
rootdn          "cn=root, dc=samba, dc=unav, dc=es"
rootpw          <a_secret>
directory       /usr/local/etc/openldap_2/samba-slapd
#
cachesize       100
dbcachesize     10000
dbcachenowsync
#
index           objectclass        eq
index           cn,sn,uid          pres,sub,eq
index           default            sub
#
access to dn="dc=samba, dc=unav, dc=es"
        by dn="uid=replicator,dc=samba, dc=unav, dc=es" write
access to dn=".*, dc=samba, dc=unav, dc=es"
        by self                         write
        by *                            search
#
------------------- snip ---------------------

[toc]

Microsoft's `Top` from AD (from ADSI Edit)	X500 (cosine, core) `top`. `OID: 2.5.6.0`
`NAME 'Top'` `SUP top` `ABSTRACT` `MUST` `cn` `defaultObjectCategory` `governsID` `instanceType` `objectCategory` `objectClass` `objectClassCategory` `schemaIDGUID` `subClassOf` `MAY` `adminDescription` `adminDisplayName` `allowedAttributes` `...` `canonicalName` `..` `createTimeStamp` `description` `displayName` `displayNamePrintable` `dSCorePropagationData` ..	`# Standard object classes from RFC2256` `objectclass ( 2.5.6.0 NAME 'top' ABSTRACT` `MUST objectClass )`

ObjectClass (mixed)	Attrs
`top`	Definition from `schema/core.schema` `objectclass ( 2.5.6.0 NAME 'top' ABSTRACT` `MUST objectClass )`
`Top`	Microsoft extends the `X500` `top` class in a bit: I'm very puzzled... `objectclass: 2.5.6.0 NAME 'Top'` `SUP top` `ABSTRACT` `MUST` `cn` `defaultObjectCategory` `governsID` `instanceType` `objectCategory` `objectClass` `objectClassCategory` `schemaIDGUID` `subClassOf` `MAY` `adminDescription` `adminDisplayName` `allowedAttributes` `...` `canonicalName` `..` `createTimeStamp` `description` `displayName` `displayNamePrintable` `dSCorePropagationData`
`user`	`objectclass 1.2.840.113556.1.5.9` `NAME 'user'` `SUP organizationalPerson` `STRUCTURAL` `MUST` `objectSid` `cn` `MAY` `accountExpires $` `aCSPolicyName $` `adminCount $` `badPasswordTime $` `badPwdCount $` `changetype$` `codePage $` `controlAccessRights $` `countryCode$` `dBCSPwd $` `defaultClassStore $` `description $` `desktopProfile $` `dynamicLDAPServer` `displayName$` `distinguishedName$` `givenName$` `groupMembershipSAM $` `groupPriority` `groupsToIgnore` `homeDirectory $` `homeDrive $` `instanceType$` `lastLogoff $` `lastLogon $` `lmPwdHistory $` `localeID $` `lockoutTime $` `logonCount $` `logonHours $` `logonWorkstation $` `maxStorage $` `memberOf $` `msRAS` `msRADIUS` `msNP` `mS` `name $` `ntPwdHistory $` `netWorkAddress` `objectCategory$` `objectGUID$` `operatorCount $` `otherLoginWorkstations $` `preferredOU $` `primaryGroupID $` `profilePath $` `pwdLastSet $` `sAMAccountName $` `sAMAccountType $` `scriptPath $` `servicePrincipalName $` `terminalServer` `unicodePwd $` `userAccountControl $` `userCertificate` `userParameters` `userPrincipalName $` `userSharedFolder $` `userSharedFolderOther` `userSharedFolderOther $` `userWorkstations $` `uSNChanged $` `uSNCreated $` `whenCreated $` `whenChanged`
`computer`	Definition attributes comes from `schema/microsoft.schema` `objectclass: 1.2.840.113556.1.3.30` `NAME 'computer'` `SUP user` `STRUCTURAL` `MAY` `description $` `dNSHostName $` `isCriticalSystemObject $` `localPolicyFlags $` `machineRole $` `operatingSystem $` `operatingSystemHotfix $` `operatingSystemServicePack $` `operatingSystemVersion $` `physicalLocationObject $` `rIDSetReferences $` `volumeCount`
`group`	Attributes definition comes from `schema/microsoft.schema` `objectclass: 1.2.840.113556.1.5.8` `NAME 'group'` `SUP top` `STRUCTURAL` `MUST` `groupType` `cn` `MAY` `adminCount $` `changetype $` `controlAccessRights $` `description $` `distinguishedName $` `instanceType $` `isCriticalSystemObject $` `member $` `name $` `groupType $` `showInAdvancedViewOnly $` `systemFlags $` `objectCategory $` `objectGUID` `objectSid` `sAMAccountName` `sAMAccountType` `uSNChanged` `uSNCreated` `whenChanged` `whenCreated` Take care: the old member syntax:`<member_id>,<rid>,<class>` is not compatible with the core/cosine "member". I think the `","` is not allowed in `member`.
`rIDSet`	`example:` `dn: CN=RID Set,CN=TEST-W2K,OU=Domain Controllers,DC=ad,DC=cti,DC=unav,DC=es` `rIDAllocationPool: 6867652707404` `rIDNextRID: 1105` `rIDPreviousAllocationPool: 6867652707404` `rIDUsedPool: 0` `objectclass: 1.2.840.113556.1.5.129` `NAME 'rIDSet'` `SUP top` `STRUCTURAL` `MUST` `cn $` `rIDAllocationPool` `rIDPreviousAllocationPool $` `rIDUsedPool $` `rIDNextRID` `MAY` `instanceType $` `distinguishedName $` `objectCategory $` `objectGUID $` `nameshowInAdvancedViewOnly $` `uSNChanged $` `uSNCreated $` `whenChanged $` `whenCreated $` `changetype`
`rIDManager`	`example: dn: CN=RID Manager$,CN=System,DC=ad,DC=cti,DC=unav,DC=es` `rIDAvailablePool: 4611686014132422208` `objectclass: 1.2.840.113556.1.5.83` `NAME 'rIDManager'` `SUP top` `STRUCTURAL` `MUST (rIDAvailablePool )` `MAY (` `changetype $` `cn $` `fSMORoleOwner $` `instanceType $` `isCriticalSystemObject $` `distinguishedName $` `objectCategory $` `objectGUID $` `name $` `showInAdvancedViewOnly $` `systemFlags $` `uSNChanged $` `uSNCreated $` `whenChanged $` `whenCreated ) )`

ObjectClass (native)	Attrs
`domainDNS`	`example: dn: DC=ad,DC=cti,DC=unav,DC=es` `changetype` `masteredBy` `auditingPolicy` `creationTime` `dc` `forceLogoff` `fSMORoleOwner` `gPLink` `instanceType` `isCriticalSystemObject` `lockOutObservationWindow` `lockoutDuration` `lockoutThreshold` `maxPwdAge` `minPwdAge` `minPwdLength` `modifiedCount` `modifiedCountAtLastProm` `ms-DS-MachineAccountQuota` `nextRid` `nTMixedDomain` `distinguishedName` `objectCategory` `objectClass` `objectGUID` `objectSid` `pwdHistoryLength` `pwdProperties` `name` `rIDManagerReference` `serverState` `subRefs` `systemFlags` `uASCompat` `uSNChanged` `uSNCreated` `wellKnownObjects (n)` `whenChanged` `whenCreated` `objectclass ( 1.2.840.113556.1.5.67` `NAME 'domainDNS'` `SUP domain` `STRUCTURAL` `MAY (managedBy ) )`
`foreingSecurityPrincipal`	`example: dn: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=ad,DC=cti,DC=unav,DC=es` `changetype` `memberOf` `cn` `instanceType` `distinguishedName` `objectCategory` `objectClass` `objectGUID` `objectSid` `name` `showInAdvancedViewOnly` `uSNChanged` `uSNCreated` `whenChanged` `whenCreated`
`leaf`	Definition from `schema/microsoft.schema` `objectclass ( 1.2.840.113556.1.5.20` `NAME 'leaf'` `SUP top` `ABSTRACT )`
`connectionPoint`	Definition from `schema/microsoft.schema` `objectclass ( 1.2.840.113556.1.5.14` `NAME 'connectionPoint'` `SUP leaf` `ABSTRACT` `MUST (cn )` `MAY (keywords $ managedBy ) )`
`volume`	`example:dn: CN=pcymac,OU=Domain Controllers,DC=ad,DC=cti,DC=unav,DC=es` `changetype` `cn` `instanceType` `distinguishedName` `objectCategory` `objectClass` `objectGUID` `name` `uNCName` `uSNChanged` `uSNCreated` `whenChanged`
`printQueue`	`objectclass: 1.2.840.113556.1.5.23` `NAME 'printQueue'` `SUP connectionPoint` `STRUCTURAL` `MUST` `uNCName $` `versionNumber $` `serverName $` `printerName $` `shortServerName` `MAY` `assetNumber $` `bytesPerMinute $` `changetype $` `defaultPriority $` `distinguishedName $` `driverName $` `driverVersion $` `instanceType $` `location $` `name $` `objectCategory $` `objectClass $` `objectGUID $` `operatingSystem $` `operatingSystemHotfix $` `operatingSystemServicePack $` `operatingSystemVersion $` `physicalLocationObject $` `portName $` `printAttributes $` `printBinNames $` `printCollate $` `printColor $` `printDuplexSupported $` `printEndTime $` `printFormName $` `printKeepPrintedJobs $` `printLanguage $` `printMACAddress $` `printMaxCopies $` `printMaxResolutionSupported $` `printMaxXExtent $` `printMaxYExtent $` `printMediaReady $` `printMediaSupported $` `printMemory $` `printMinXExtent $` `printMinYExtent $` `printNetworkAddress $` `printNotify $` `printNumberUp $` `printOrientationsSupported $` `printOwner $` `printPagesPerMinute $` `printRate $` `printRateUnit $` `printSeparatorFile $` `printShareName $` `printSpooling $` `printStaplingSupported $` `printStartTime $` `printStatus $` `priority $` `uSNChanged $` `uSNCreated $` `whenChanged $` `whenCreated`
`container`	`dn` `changetype` `cn` `description` `instanceType` `isCriticalSystemObject` `distinguishedName` `objectCategory` `objectClass` `objectGUID` `name` `showInAdvancedViewOnly` `systemFlags` `uSNChanged` `uSNCreated` `whenChanged` `whenCreated`
`foreinSecurityPrincipal`	`example: dn: CN=S-1-5-4,CN=ForeignSecurityPrincipals,DC=ad,DC=cti,DC=unav,DC=es` `changetype` `memberOf` `cn` `instanceType` `distinguishedName` `objectCategory` `objectClass` `objectGUID` `objectSid` `name` `showInAdvancedViewOnly` `uSNChanged` `uSNCreated` `whenChanged` `whenCreated`
`builtinDomain`	`example: dn: CN=Builtin,DC=ad,DC=cti,DC=unav,DC=es` `changetype` `cn` `creationTime` `forceLogoff` `instanceType` `isCriticalSystemObject` `lockOutObservationWindow` `lockoutDuration` `lockoutThreshold` `maxPwdAge` `minPwdAge` `minPwdLength` `modifiedCount` `modifiedCountAtLastProm` `nextRid` `distinguishedName` `objectCategory` `objectClass` `objectGUID` `objectSid` `pwdHistoryLength` `pwdProperties` `name` `serverState` `showInAdvancedViewOnly` `systemFlags` `uASCompat` `uSNChanged` `uSNCreated` `whenChanged` `whenCreated` `objectclass ( 1.2.840.113556.1.5.4` `NAME 'builtinDomain'` `SUP top` `STRUCTURAL )`
`organizationalUnit`	`example: dn: OU=Domain Controllers,DC=ad,DC=cti,DC=unav,DC=es` `changetype` `description` `gPLinkinstanceType` `isCriticalSystemObject` `distinguishedName` `objectCategory` `objectClass` `objectGUID` `ou` `name` `showInAdvancedViewOnly` `systemFlags` `uSNChanged` `uSNCreated` `whenChanged` `whenCreated`
`nTFRSSubscriptions`	`example: dn: CN=NTFRS Subscriptions,CN=TEST-W2K,OU=Domain Controllers,DC=ad,DC=cti,DC=unav,DC=es` `changetype` `cn` `fRSWorkingPath: c:\winnt\ntfrs` `instanceType` `distinguishedName` `objectCategory` `objectClass` `objectGUID` `name` `showInAdvancedViewOnly` `uSNChanged` `uSNCreated` `whenChanged` `whenCreated`
`nTFRSSubscriber`	`example: dn: CN=Domain System Volume (SYSVOL share),CN=NTFRS Subscriptions,CN=TEST-W2K,OU=Domain` `Controllers,DC=ad,DC=cti,DC=unav,DC=es` `changetype` `fRSMemberReference` `cn` `fRSRootPath` `fRSStagingPath` `instanceType` `distinguishedName` `objectCategory` `objectClass` `objectGUID` `name` `showInAdvancedViewOnly` `uSNChanged` `uSNCreated` `whenChanged` `whenCreated`
`nTFRSSettings`	`example: dn: CN=File Replication Service,CN=System,DC=ad,DC=cti,DC=unav,DC=es` `changetype` `cn` `instanceType` `isCriticalSystemObject` `distinguishedName` `objectCategory` `objectClass` `objectGUID` `name` `showInAdvancedViewOnly` `systemFlags` `uSNChanged` `uSNCreated` `whenChanged` `whenCreated`
`nTFRSReplicaSet`	`example: dn: CN=Domain System Volume (SYSVOL share),CN=File Replication` `Service,CN=System,DC=ad,DC=cti,DC=unav,DC=es` `changetype` `fRSPrimaryMember` `cn` `fRSFileFilter: .tmp, .bak, ~*` `fRSReplicaSetGUID` `fRSReplicaSetType` `fRSVersionGUID` `instanceType` `distinguishedName` `objectCategory` `objectClass` `objectGUID` `name` `showInAdvancedViewOnly` `uSNChanged` `uSNCreated` `whenChanged` `whenCreated`
`nTFRSMember`	`example: dn: CN=TEST-W2K,CN=Domain System Volume (SYSVOL share),CN=File Replication` `Service,CN=System,DC=ad,DC=cti,DC=unav,DC=es` `changetype` `serverReference` `frsComputerReference` `fRSMemberReferenceBL` `cn` `instanceType` `distinguishedName` `objectCategory` `objectClass` `objectGUID` `name` `showInAdvancedViewOnly` `uSNChanged` `uSNCreated` `whenChanged` `whenCreated`
`rpcContainer`	`example: dn: CN=RpcServices,CN=System,DC=ad,DC=cti,DC=unav,DC=es` `changetype` `cn` `instanceType` `isCriticalSystemObject` `distinguishedName` `objectCategory` `objectClass` `objectGUID` `name` `showInAdvancedViewOnly` `systemFlags` `uSNChanged` `uSNCreated` `whenChanged` `whenCreated`
`fileLinkTracking`	`example: dn: CN=FileLinks,CN=System,DC=ad,DC=cti,DC=unav,DC=es` `changetype` `cn` `instanceType` `isCriticalSystemObject` `distinguishedName` `objectCategory` `objectClass` `objectGUID` `names` `showInAdvancedViewOnly` `systemFlags` `uSNChanged` `uSNCreated` `whenChanged` `whenCreated`
`linkTrackVolumeTable`	`example: dn: CN=VolumeTable,CN=FileLinks,CN=System,DC=ad,DC=cti,DC=unav,DC=es` `changetype` `cn` `instanceType` `isCriticalSystemObject` `distinguishedName` `bjectCategory` `objectClass` `objectGUID` `name` `showInAdvancedViewOnly` `systemFlags` `uSNChanged` `uSNCreated` `whenChanged` `whenCreated`
`linkTrackVolEntry`	`example: dn:` `CN=8D895862F3474B2EA0B5667F51655E3D,CN=VolumeTable,CN=FileLinks,CN=System,DC=ad,DC=cti,DC=unav,DC=es` `changetype:` `cn` `instanceType` `linkTrackSecret` `distinguishedName` `objectCategory` `objectClass` `objectGUID` `name` `seqNotification` `showInAdvancedViewOnly` `timeRefresh` `timeVolChange` `uSNChanged` `uSNCreated` `volTableIdxGUID` `whenChanged` `whenCreated`
`linkTrackVolEntry`	`example: dn: CN=QT_Counter,CN=VolumeTable,CN=FileLinks,CN=System,DC=ad,DC=cti,DC=unav,DC=es` `changetype` `cn` `instanceType` `linkTrackSecret` `distinguishedName` `objectCategory` `objectClass` `objectGUID` `name` `showInAdvancedViewOnly` `uSNChanged` `uSNCreated` `whenChanged` `whenCreated`
`linkTrackObjectMoveTable`	`example: dn: CN=ObjectMoveTable,CN=FileLinks,CN=System,DC=ad,DC=cti,DC=unav,DC=es` `changetype` `cn` `instanceType` `isCriticalSystemObject` `distinguishedName` `objectCategory` `objectClass` `objectGUID` `name` `showInAdvancedViewOnly` `systemFlags` `uSNChanged` `uSNCreated` `whenChanged` `whenCreated`
`domainPolicy`	`example: dn: CN=Default Domain Policy,CN=System,DC=ad,DC=cti,DC=unav,DC=es` `changetype` `cn` `instanceType` `isCriticalSystemObject:` `distinguishedName` `objectCategory` `objectClass` `objectGUID` `name` `showInAdvancedViewOnly` `uSNChanged` `uSNCreated` `whenChanged` `whenCreated`
	`example: dn: CN=AppCategories,CN=Default Domain Policy,CN=System,DC=ad,DC=cti,DC=unav,DC=es` `changetype` `cn` `instanceType` `isCriticalSystemObject` `distinguishedName` `objectCategory` `objectClass` `objectGUID` `name` `showInAdvancedViewOnly` `uSNChanged` `uSNCreated` `whenChanged` `whenCreated`
`groupPolicyContainer`	`example: dn:` `CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=ad,DC=cti,DC=unav,DC=es` `changetype` `cn` `displayName:` `flags` `gPCFileSysPath` `gPCFunctionalityVersion: 2` `gPCMachineExtensionNames` `gPCUserExtensionNames` `instanceType` `isCriticalSystemObject` `distinguishedName` `objectCategory` `objectClass` `objectGUID` `name` `showInAdvancedViewOnly` `systemFlags` `uSNChanged` `uSNCreated` `versionNumber` `whenChanged` `whenCreated`
`dfsConfiguration`	`example: dn: CN=Dfs-Configuration,CN=System,DC=ad,DC=cti,DC=unav,DC=es` `changetype` `cn` `instanceType` `isCriticalSystemObject:` `distinguishedName` `objectCategory` `objectClass` `objectGUID` `name` `showInAdvancedViewOnly` `uSNChanged` `uSNCreated` `whenChanged` `whenCreated`
`ipsecPolicy`	`example: dn: CN=ipsecPolicy{72385230-70FA-11D1-864C-14A300000000},CN=IP` `Security,CN=System,DC=ad,DC=cti,DC=unav,DC=es` `changetype` `cn` `description` `instanceType` `ipsecData` `ipsecDataType:` `ipsecID` `ipsecISAKMPReference` `ipsecName` `ipsecNFAReference` `ipsecNFAReference` `ipsecNFAReference` `isCriticalSystemObject` `distinguishedName` `objectCategory` `objectClass` `objectGUID` `name` `showInAdvancedViewOnly` `uSNChanged` `uSNCreated` `whenChanged` `whenCreated`
`ipsecISAKMPPolicy`	`example: dn: CN=ipsecISAKMPPolicy{72385231-70FA-11D1-864C-14A300000000},CN=IP` `Security,CN=System,DC=ad,DC=cti,DC=unav,DC=es` `changetype` `cn` `instanceType` `ipsecData` `ipsecDataType` `ipsecID` `ipsecOwnersReference` `isCriticalSystemObject` `distinguishedName` `objectCategory` `objectClass` `objectGUID` `name` `showInAdvancedViewOnly` `uSNChanged` `uSNCreated` `whenChanged` `whenCreated`
`ipsecNFA`	`example: dn: CN=ipsecNFA{72385232-70FA-11D1-864C-14A300000000},CN=IP` `Security,CN=System,DC=ad,DC=cti,DC=unav,DC=es` `changetype` `cn` `description` `instanceType` `ipsecData` `ipsecDataType` `ipsecFilterReference` `ipsecID` `ipsecName` `ipsecNegotiationPolicyReference` `ipsecOwnersReference` `isCriticalSystemObject` `distinguishedName` `objectCategory` `objectClass` `objectGUID` `name` `showInAdvancedViewOnly` `uSNChanged` `uSNCreated` `whenChanged` `whenCreated`
`ipsecNegotiationPolicy`	`example: dn: CN=ipsecNegotiationPolicy{72385233-70FA-11D1-864C-14A300000000},CN=IP` `Security,CN=System,DC=ad,DC=cti,DC=unav,DC=es` `changetype:` `cn` `description:` `Accepts unsecured communication, but requests clients to establish trust and s` `ecurity methods. Will communicate insecurely to untrusted clients if they do` `not respond to request.` `instanceType` `ipsecData` `ipsecDataType` `ipsecID` `ipsecName` `iPSECNegotiationPolicyAction` `iPSECNegotiationPolicyType` `ipsecOwnersReference` `isCriticalSystemObject` `distinguishedName` `objectCategory` `objectClass` `objectGUID` `name` `showInAdvancedViewOnly` `uSNChanged` `uSNCreated` `whenChanged` `whenCreated`
`ipsecFilter`	`example: dn: CN=ipsecFilter{7238523A-70FA-11D1-864C-14A300000000},CN=IP` `Security,CN=System,DC=ad,DC=cti,DC=unav,DC=es` `changetype` `cn` `description:` `Matches all IP packets from this computer to any other computer, except broadc` `ast, multicast, Kerberos, RSVP and ISAKMP (IKE).` `instanceType` `ipsecData` `ipsecDataType` `ipsecID` `ipsecName` `ipsecOwnersReference` `ipsecOwnersReference` `isCriticalSystemObject` `distinguishedName` `objectCategory` `objectClass` `objectGUID` `name` `showInAdvancedViewOnly` `uSNChanged` `uSNCreated` `whenChanged` `whenCreated`
`samServer`	`example: dn: CN=Server,CN=System,DC=ad,DC=cti,DC=unav,DC=es` `changetype` `cn:` `instanceType` `isCriticalSystemObject` `distinguishedName` `objectCategory` `objectClass` `objectGUID` `name` `revision` `showInAdvancedViewOnly` `uSNChanged` `uSNCreated` `whenChanged` `whenCreated`
`dnsNode`	`example: dn: DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=ad,DC=cti,DC=unav,DC=es` `changetype` `dnsRecord (n)` `dc` `instanceType` `distinguishedName` `objectCategory` `objectClass` `objectGUID` `name` `showInAdvancedViewOnly` `uSNChanged` `uSNCreated` `whenChanged` `whenCreated`
`dnsZone`	`example: dn: DC=ad.cti.unav.es,CN=MicrosoftDNS,CN=System,DC=ad,DC=cti,DC=unav,DC=es` `changetype` `cn` `dNSProperty (n)` `dc` `instanceType` `distinguishedName` `objectCategory` `objectClass` `objectGUID` `name` `showInAdvancedViewOnly` `uSNChanged` `uSNCreated` `whenChanged` `whenCreated`
`secret`	`example: dn: CN=BCKUPKEY_616a3253-eed4-4a49-a2ee-d1375204ad7d Secret,CN=System,DC=ad,DC=cti,DC=unav,DC` `=es` `changetype` `cn` `instanceType` `isCriticalSystemObject` `lastSetTime` `distinguishedName` `objectCategory` `objectClass` `objectGUID` `priorSetTime` `name` `showInAdvancedViewOnly` `uSNChanged` `uSNCreated` `whenChanged` `whenCreated`
`lostAndFound`	`example: dn: CN=LostAndFound,DC=ad,DC=cti,DC=unav,DC=es` `changetype` `cn` `description: Default container for orphaned objects` `instanceType` `isCriticalSystemObject` `distinguishedName` `objectCategory` `objectClass` `objectGUID` `name` `showInAdvancedViewOnly` `systemFlags:` `uSNChanged` `uSNCreated` `whenChanged` `whenCreated`
`infrastructureUpdate`	`example: dn: CN=Infrastructure,DC=ad,DC=cti,DC=unav,DC=es` `changetype` `cn` `fSMORoleOwner` `instanceType` `isCriticalSystemObject` `distinguishedName` `objectCategory` `objectClass` `objectGUID` `name` `showInAdvancedViewOnly` `systemFlags` `uSNChanged` `uSNCreated` `whenChanged` `whenCreated`