Ignacio
Coupeau
CTI,
University of Navarra
- TNG "old schema" for openldap 2.x
- The schema's diffs (roughly)
- TNG AD new schema
- The schemas unveiled
Compiling
To compile the openldap-2.0.x in RedHat 6.2, if you obtain a dn_
error, you must add the -lresolv library:
LIBS=-lreadline -lcurses -ldl -lcrypt -lldap -llber -lresolv
The Schema changes
I replaced the member with sambaMember, because the
syntax:
member:
<member_id>,<rid>,<class>
is not compatible with the core/cosine "member".
Also, in in the code, you will replace the atrr name from member to sambaMember in several places. I think the TNG people is going to fix it, but you should test it:
./groupdb/aliasldap.c-DIST
./groupdb/builtinldap.c-DIST
./groupdb/groupldap.c-DIST
diff ./groupdb/aliasldap.c-DIST ./groupdb/aliasldap.c
78c78
< if(values = ldap_get_values(ldap_struct, ldap_entry, "member")) {
---
> if(values = ldap_get_values(ldap_struct, ldap_entry, "sambaMember")) {
158c158
< ldap_make_mod(mods, operation, "member", member);
---
> ldap_make_mod(mods, operation, "sambaMember", member);
370c370
< "(&(member=%s,*)(objectclass=sambaAlias))", name);
---
> "(&(sambaMember=%s,*)(objectclass=sambaAlias))", name);diff ./groupdb/builtinldap.c-DIST ./groupdb/builtinldap.c
78c78
< if(values = ldap_get_values(ldap_struct, ldap_entry, "member")) {
---
> if(values = ldap_get_values(ldap_struct, ldap_entry, "sambaMember")) {
159c159
< ldap_make_mod(mods, operation, "member", member);
---
> ldap_make_mod(mods, operation, "sambaMember", member);
371c371
< "(&(member=%s,*)(objectclass=sambaBuiltin))", name);
---
> "(&(sambaMember=%s,*)(objectclass=sambaBuiltin))", name);diff ./groupdb/groupldap.c-DIST ./groupdb/groupldap.c
81c81
< if(values = ldap_get_values(ldap_struct, ldap_entry, "member")) {
---
> if(values = ldap_get_values(ldap_struct, ldap_entry, "sambaMember")) {
164c164
< ldap_make_mod(mods, operation, "member", member);
---
> ldap_make_mod(mods, operation, "sambaMember", member);
383c383
< "(&(member=%s,*)(objectclass=sambaGroup))", name);
---
> "(&(sambaMember=%s,*)(objectclass=sambaGroup))", name);
# req. core
(uid, etc).
# req. cosine (organization)
attributetype ( 1.3.6.1.4.1.7114.2.1.1
NAME 'sambaMember'
DESC 'samba member'
#
EQUALITY caseIgnoreIA5Match
#
From: "Rodney Barnett" <rbarnett@neuromics.com>
#
Date: Thu, 5 Apr 2001 08:43:16 -0500
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
attributetype ( 1.3.6.1.4.1.7114.2.1.2
NAME 'uidNumber'
DESC 'Unix user ID-number'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7114.2.1.3
NAME 'ntuid'
DESC 'NT user ID'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7114.2.1.4
NAME 'rid'
DESC 'NT hex RID'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7114.2.1.5
NAME 'gidNumber'
DESC 'Unix group ID'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7114.2.1.6
NAME 'grouprid'
DESC 'NT group RID'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7114.2.1.7
NAME 'sid'
DESC 'NT SID'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7114.2.1.8
NAME 'lmPassword'
DESC 'LanManager Passwd'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
attributetype ( 1.3.6.1.4.1.7114.2.1.9
NAME 'ntPassword'
DESC 'nt Passwd'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
attributetype ( 1.3.6.1.4.1.7114.2.1.10
NAME 'pwdLastSet'
DESC 'NT pwdLastSet'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} )
attributetype ( 1.3.6.1.4.1.7114.2.1.11
NAME 'pwdCanChange'
DESC 'NT pwdCanChange'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} )
attributetype ( 1.3.6.1.4.1.7114.2.1.12
NAME 'pwdMustChange'
DESC 'NT pwdMustChange'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} )
attributetype ( 1.3.6.1.4.1.7114.2.1.13
NAME 'smbHome'
DESC 'smbHome'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
attributetype ( 1.3.6.1.4.1.7114.2.1.14
NAME 'homeDrive'
DESC 'smbHome'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} )
attributetype ( 1.3.6.1.4.1.7114.2.1.15
NAME 'script'
DESC 'script'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
attributetype ( 1.3.6.1.4.1.7114.2.1.16
NAME 'profile'
DESC 'profile'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
attributetype ( 1.3.6.1.4.1.7114.2.1.17
NAME 'acctFlags'
DESC 'acctFlags'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} )
attributetype ( 1.3.6.1.4.1.7114.2.1.18
NAME 'nextrid'
DESC 'nextrid'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7114.2.1.19
NAME 'id'
DESC 'ldap admin user ID'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7114.2.1.20
NAME 'logonTime'
DESC 'logonTime'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7114.2.1.21
NAME 'logoffTime'
DESC 'logoffTime'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7114.2.1.22
NAME 'kickoffTime'
DESC 'kickoffTime'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} SINGLE-VALUE )
objectclass
( 1.3.6.1.4.1.7114.2.2.1
NAME
'sambaAccount'
DESC 'Provisional sambaAccount'
SUP
top
STRUCTURAL
MUST ( ObjectClass $ uid $ uidNumber $ ntuid $ rid )
MAY (
gidNumber $ grouprid $ ou $ cn $ description $
lmPassword $ ntPassword $
pwdLastSet $ pwdCanChange $ pwdMustChange $
logonTime $ logoffTime $ kickoffTime $
smbHome $ homeDrive $ script $ profile $ acctFlags )
)
objectclass
( 1.3.6.1.4.1.7114.2.2.2
NAME
'sambaGroup'
DESC 'Provisional sambaGroup'
SUP
top
STRUCTURAL
MUST ( ObjectClass $ cn $ rid )
MAY ( ntuid $ sambaMember $ description )
)
objectclass
( 1.3.6.1.4.1.7114.2.2.3
NAME
'sambaBuiltin'
DESC 'Provisional sambaBuiltin'
SUP
top
STRUCTURAL
MUST ( ObjectClass $ cn )
MAY ( sid $ rid $ sambaMember $ ntuid $ description )
)
objectclass
( 1.3.6.1.4.1.7114.2.2.4
NAME
'sambaConfig'
DESC 'Provisional sambaConfig'
SUP
top
STRUCTURAL
MUST ( ObjectClass $ id $ nextrid )
)
objectclass
( 1.3.6.1.4.1.7114.2.2.5
NAME
'sambaAlias'
DESC 'Provisional sambaAlias'
SUP
top
STRUCTURAL
MUST ( ObjectClass $ cn )
MAY ( sid $ rid $ sambaMember $ ntuid $ description )
)
--
attributetype ( 1.3.6.1.4.1.9183.2.1.1 NAME 'sambaMember'
DESC 'samba member'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128}
)
#attributetype ( 1.3.6.1.4.1.9183.2.1.2 NAME 'uidNumber'
# DESC 'Unix user ID-number'
# EQUALITY integerMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.9183.2.1.3 NAME 'ntuid'
DESC 'NT user ID'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128}
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.9183.2.1.4 NAME 'rid'
DESC 'NT hex RID'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8}
SINGLE-VALUE )
#attributetype ( 1.3.6.1.4.1.9183.2.1.5 NAME 'gidNumber'
# DESC 'Unix group ID'
# EQUALITY integerMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.9183.2.1.6 NAME 'grouprid'
DESC 'NT group RID'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8}
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.9183.2.1.7 NAME 'sid'
DESC 'NT SID'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128}
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.9183.2.1.8 NAME 'lmPassword'
DESC 'LanManager Passwd'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32}
)
attributetype ( 1.3.6.1.4.1.9183.2.1.9 NAME 'ntPassword'
DESC 'nt Passwd'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32}
)
attributetype ( 1.3.6.1.4.1.9183.2.1.10 NAME 'pwdLastSet'
DESC 'NT pwdLastSet'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8}
)
attributetype ( 1.3.6.1.4.1.9183.2.1.11 NAME 'pwdCanChange'
DESC 'NT pwdCanChange'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8}
)
attributetype ( 1.3.6.1.4.1.9183.2.1.12 NAME 'pwdMustChange'
DESC 'NT pwdMustChange'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8}
)
attributetype ( 1.3.6.1.4.1.9183.2.1.13 NAME 'smbHome'
DESC 'smbHome'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128}
)
attributetype ( 1.3.6.1.4.1.9183.2.1.14 NAME 'homeDrive'
DESC 'smbHome'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8}
)
attributetype ( 1.3.6.1.4.1.9183.2.1.15 NAME 'script'
DESC 'script'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128}
)
attributetype ( 1.3.6.1.4.1.9183.2.1.16 NAME 'profile'
DESC 'profile'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128}
)
attributetype ( 1.3.6.1.4.1.9183.2.1.17 NAME 'acctFlags'
DESC 'acctFlags'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16}
)
attributetype ( 1.3.6.1.4.1.9183.2.1.18 NAME 'nextrid'
DESC 'nextrid'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32}
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.9183.2.1.19 NAME 'id'
DESC 'ldap admin user
ID'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128}
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.9183.2.1.20 NAME 'logonTime'
DESC 'logonTime'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8}
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.9183.2.1.21 NAME 'logoffTime'
DESC 'logoffTime'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8}
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.9183.2.1.22 NAME 'kickoffTime'
DESC 'kickoffTime'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8}
SINGLE-VALUE )
objectclass ( 1.3.6.1.4.1.9183.2.2.1
NAME 'sambaAccount'
DESC 'Provisional sambaAccount'
SUP top
STRUCTURAL
MUST ( ObjectClass $
uid $ uidNumber $ ntuid $ rid )
MAY ( gidNumber $ grouprid
$ ou $ cn $ description $
lmPassword $ ntPassword $
pwdLastSet $ pwdCanChange $ pwdMustChange $
logonTime $ logoffTime $ kickoffTime $
smbHome $ homeDrive $ script $ profile $ acctFlags ) )
objectclass ( 1.3.6.1.4.1.9183.2.2.2
NAME 'sambaGroup'
DESC 'Provisional sambaGroup'
SUP top
STRUCTURAL
MUST ( ObjectClass $
cn $ rid )
MAY ( ntuid $ sambaMember
$ description ) )
objectclass ( 1.3.6.1.4.1.9183.2.2.3
NAME 'sambaBuiltin'
DESC 'Provisional sambaBuiltin'
SUP top
STRUCTURAL
MUST ( ObjectClass $
cn )
MAY ( sid $ rid $ sambaMember
$ ntuid $ description ) )
objectclass ( 1.3.6.1.4.1.9183.2.2.4
NAME 'sambaConfig'
DESC 'Provisional sambaConfig'
SUP top
STRUCTURAL
MUST ( ObjectClass $
id $ nextrid ) )
objectclass ( 1.3.6.1.4.1.9183.2.2.5
NAME 'sambaAlias'
DESC 'Provisional sambaAlias'
SUP top
STRUCTURAL
MUST ( ObjectClass $
cn )
MAY ( sid $ rid $ sambaMember
$ ntuid $ description ) )
--
Samba-TNG | Samba 2.x (old) | Active Directory | Comments | ObjectClass |
accountExpires | - | accountExpires | The accountExpires property specifies when the account will expire. This value is stored as a large integer that represents the number of seconds elapsed since 00:00:00, January 1, 1970. A value of TIMEQ_FOREVER indicates that the account never expires. | |
cn | cn | cn | Specify the name of the user object in the directory. This will be the object's relative distinguished name (RDN) within the container where you create the user. | |
dBCSPwd | lmPassword | dBCSPwd | dBCSPwd roughly maps to lmPassword, but the syntax is different (and will be very different in the final version) | |
description | description | description | The description property is a single-valued property that contains the description to display for the user. | |
displayName | - | displayName | (Display-Name)
The displayName is the name displayed in the address book for a particular user. This is usually the combination of the users first name, middle initial, and last name. DisplayName is a textual description of the user, ie. its full name, dn, instead, is the distinguished name. if not "displayName" is avalaible, then uses the "cn" as &usr->uni_full_name |
|
dn | dn | dn | dn is the distinguished name.
displayName/dn are _not_ related. |
|
dNSHostName | - | dNSHostName | dnsHostName is a computer in the directory's address, not
the server address
---- sComputer = Server.Get("dNSHostName") "Display the DNS name for the computer: " --- Get the dNSHostName property of the server object. This is the DNS name of the DC containing the schema master |
|
gECOS | - | n/a | unix
real name in Unix (getpwent, setpwent, endpwent...) |
|
gidNumber | gidNumber | n/a | unix
unix group number |
|
(grouprid) | grouprid | (grouprid) | groupRid is absorbed into the objectSid attribute | |
groupType | - | groupType | groupType is _not_ groupRid. groupRid is
absorbed into the objectSid attribute. groupType is a
new attribute.
Note that ADS_* in NT5 are renamed NTDS_* in Samba. In NT5 domains, there is single class called group for all group scopes (Domain Local, Global, Universal) and types (security, distribution). Global Security :
Domain Local Security : NTDS_GROUP_TYPE_DOMAIN_LOCAL_GROUP | NTDS_GROUP_TYPE_SECURITY_ENABLED Universal Security : NTDS_GROUP_TYPE_UNIVERSAL_GROUP | NTDS_GROUP_TYPE_SECURITY_ENABLED Global Distribution : NTDS_GROUP_TYPE_GLOBAL_GROUP Domain Local Distribution : NTDS_GROUP_TYPE_DOMAIN_LOCAL_GROUP Universal Distribution :
...
|
G |
homeDirectory | smbHome | homeDirectory | The homeDirectory property specifies the path
of the home directory for the user. The string can be null.
If homeDrive is set and specifies a drive letter, homeDirectory should be a UNC path. The path must be a network UNC path of the form \\server\share\directory. This value can be a null string. If homeDrive is not set, homeDirectory should be a local path (such as C:\mylocaldir). |
|
homeDrive | homeDrive | homeDrive | The homeDrive property specifies the drive letter to which to map the
UNC path specified by homeDirectory. The drive letter must be specified
in the following form:
driveletter: where driveletter is the letter of the drive to map. For example: Z: If this property is not set, the homeDirectory should be a local path (such as C:\mylocaldir). |
|
- | id | - | (see user) | |
kickoffTime | - | kickoffTime | ...when the user will be told "you're going to be logged out, soon, or now. | |
lastLogon | - | lastLogon | (Non-replicated)
The lastLogon property specifies when the last logon occurred. This value is stored as a large integer that represents the number of seconds elapsed since 00:00:00, January 1, 1970. This property is maintained separately on each domain controller in the domain. A value of zero means that the last logon time is unknown. To get an accurate value for the user's last logon in the domain, each domain controller in the domain must be queried and the largest value should be used. |
|
loginShell | - | n/a | unix
unix login shell |
|
logonHours | - | logonHours | timetable allowed | |
member | member | member | The members of a group are stored in a multi-valued property called member. The group membership may potentially contain a large number of values. This can be inconvenient or even impossible when the number of values in a multi-valued attribute becomes very large. | G |
memberOf | - | memberOf | The memberOf property is a multi-valued property that contains groups
of which the user is a direct member, depending on the domain controller
(DC) from which this property is retrieved:
* At a DC for the domain containing the user, memberOf for the user is complete with respect to membership for groups in that domain; however, memberOf does not contain the user's membership in domain local and global groups in other domains. * At a GC server, memberOf for the user is complete with respect to all universal group memberships. If both conditions are true about the DC, both sets of information are contained in memberOf. Note that this property lists the groups that contain the user in their member property—it does not contain the recursive list of nested predecessors. For example, if user O is a member of group C and group B and group B were nested in group A, the membersOf property of user O would list group C and group B but not group A. This property is not stored—it is a computed back-link attribute. |
|
mSSFUName | - | n/a | Is the unix-name: either mSSFUName or uid can specify the unix account name | |
name | - | name | name RDN is the cn. | |
nETBIOSName | - | nETBIOSName | In addition to the dnsRoot (DNS name of the domain) and nCName (distinguished
name for the domain) properties, the crossRef object also contains the
nETBIOSName (NetBIOS name of the domain) and trustParent (distinguished
name for the crossRef object representing the domain's direct parent domain)
properties.
Active Directory can also have external cross references that refer to objects outside of the forest. External cross references must be added explicitly by an administrator. Note that the target server of the external cross reference must have a DNS root, that is, it must adhere to RFC 2247. The NetBIOS name of a computer is the sAMAccountName property of a computer
object.
|
|
nextRid | nextrid | n/a | unix, samba-internal | |
- | nickname | - | ||
- | ntuid | - | ||
objectClass
|
objectClass
|
objectClass
|
tipical objectClass filters:
(objectClass=Group)(groupType=%d) (objectClass=Group)(sAMAccountName=%s)(groupType=%d) (objectClass=Group)(gidNumber=%d)(groupType=%d) (objectClass=Group)(member=%s)(groupType=%d) |
|
objectGuid | - | objectGUID | (Object-GUID)
The objectGUID property is a single-valued property that is the unique identifier for the object. This property is a Globally Unique Identifier (GUID). When an object is created in the directory, Active Directory generates a GUID and assigns it to the object's objectGUID property. The GUID is unique across the enterprise and anywhere else. The objectGUID is a 128-bit GUID structure stored as an OctetString. Because an object's distinguished name changes if the object is renamed or moved, the domain name is not a reliable identifier for an object. In Active Directory, an object’s objectGUID property is never changed, even if the object is renamed or moved to different places. Note that you can retrieve the string form of the objectGUID using the IADs::get_GUID method. |
|
objectSid | - | objectSid | (Object-Sid)
The objectSid property is a single-valued property that specifies the security identifier (SID) of the user. The SID is a unique value used to identify the user as a security principal. It is a binary value that is set by the system when the user is created. Each user has a unique SID issued by a Windows 2000 domain and stored in objectSid property of the user object in the directory. Each time a user logs on, the system retrieves the user's SID from the directory and places it in the user's access token. The user's SID is also used to retrieve the SIDs for the groups of which the user is a member and places them in the user's access token. The system uses the SIDs in the user's access token to identify the user and his/her group memberships in all subsequent interactions with Windows NT security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. |
|
- | ou | - | Groups vs. Organizational Units
Groups are distinct from organizational units (OUs). OUs are useful for creating a hierarchy for administrative delegation or setting group policy. Groups are used for granting access and creating distribution lists. Groups and organizational units also differ in regard to the domain boundaries to which they are applied. You can create groups to contain users, computers, or shared resources on a local server, a single domain, or multiple domains in a forest. Organizational units represent a collection of objects (including group objects) only within the context of a single domain. Users can be placed in any container or organizational unit in a domain as well as the root of the domain. This means that users can be in numerous locations in the directory hierarchy. You can perform a deep search for (objectCategory=user) to find all users in a container, organizational unit, domain, domain tree, or forest—depending on the object that the IDirectorySearch pointer you're using is bound to. |
|
primaryGroupId | - | primaryGroupID | The primaryGroupID property is a single-valued property containing the relative identifier (RID) for the primary group of the user. By default, this is the RID for the Domain Users group. This property is not used in the context of the Active Directory. | |
profilePath | profile | profilePath | The profilePath property specifies a path to the user's profile. This value can be a null string, a local absolute path, or a UNC path. | |
pwdCanChange | pwdCanChange | pwdCanChange | see: userAccountControl | |
pwdLastSet | pwdLastSet | pwdLastSet | The pwdLastSet property specifies when the user last set the password.
This value is stored as a large integer that represents the number of seconds
elapsed since 00:00:00, January 1, 1970.
The system uses the value of this property and the maxPwdAge property of the domain containing the user object to calculate the password expiration date (sum of pwdLastSet for the user and maxPwdAge of the user's domain). controls whether the user must change the password the next time the user logs on. Default is 0. Zero(0) means the user must change the password at next logon. The value -1 means the user does not need to change the password at next logon. The system sets this value to -1 after user has set the password. |
|
- | pwdMustChange | - | ||
- | rid | - | It is not used | |
sAMAccountName | - | sAMAccountName | (SAM-Account-Name)
The sAMAccountName property is a single-valued property that is the logon name used to support clients and servers from a previous version of Windows (such as Windows NT® 4.0 and earlier, Windows 95, Windows 98, and LAN Manager). Note that the sAMAccountName should be less than 20 characters to support these clients and servers. The sAMAccountName must be unique among all security principal objects within the domain. You should query for the new name against the domain to verify that the sAMAccountName is unique in the domain. The sAMAccountName must be unique among all security principal objects within a domain container. |
|
(objectClass=Group) | sambaBuiltin
sambaConfig sambaGroup |
- | For different types of groups, groupType is set differently.
(objectClass=Group)(groupType=%d)
/* groupType */
|
|
scriptPath | script | scriptPath | The scriptPath property specifies the path of the user's logon script, .CMD, .EXE, or .BAT file. The string can be null. | |
servicePrincipalName | - | servicePrincipalName | are preserved by not used by SAMBA
User or computer class objects have a servicePrincipalName attribute, which is a multi-valued attribute for storing all the SPNs associated with a user or computer account. If the service runs under a user account, the SPNs are stored in the servicePrincipalName attribute of that account. If the service runs in the LocalSystem account, the SPNs are stored in the servicePrincipalName attribute of the account of the service’s host computer. |
|
sid | sid | sid | Octet string containing a security identifier (SID). | |
uid | uid | n/a | unix id user | |
uidNumber | uidNumber | n/a | unix id number | |
unicodePwd | ntPassword | unicodePwd | unicodePwd was ntPassword but with different syntax.
The unicodePwd property is the password for the NT user. if (ldapdb_get_value_len(hds, "dBCSPwd", &bv))
|
|
user | sambaAccount | user | (objectClass=User) | |
userAccountControl | acctFlags | userAccountControl | userAccountControl replaces acctFlags, but the syntax
is different.
The flags are defined in LMACCESS.h, where UF_* was replaced by NTDS_UF_* The userAccountControl property specifies flags that control password, lockout, disable/enable, script, and home directory behavior for the user. This property also contains a flag that indicates the account type of the object. The user object usually has the UF_NORMAL_ACCOUNT set. NTDS_UF_SCRIPT : The logon script executed. This value
must be set for LAN Manager 2.0 or Windows NT.
|
|
userPrincipalName | - | userPrincipalName | are preserved by not used by SAMBA
The userPrincipalName is a single-valued that is a string that specifies
the user principal name (UPN) of the user. The UPN is an Internet-style
login name for the user based on the Internet standard RFC 822. The UPN
is shorter than the distinguished name and easier to remember. By convention,
this should map to the user's e-mail name. The point of the UPN is to
consolidate the e-mail and logon namespaces so that the user need only
remember a single name.
|
|
userWorkstations | workstations | userWorkstations | The userWorkstations property is a single-valued property containing
the NetBIOS names of the computers running Windows NT Workstation/Windows
2000 Professional from which the user can log on. Each NetBIOS name is
separated by a comma. The NetBIOS name of a computer is the sAMAccountName
property of a computer object.
If there are no values set, it indicates that there is no restriction. To disable logons from all computers running Windows NT Workstation/Windows 2000 Professional to this account, set the UF_ACCOUNTDISABLE value in userAccountControl property. This value is defined in LMACCESS.H. |