SambaTNG - PDC LDAP schemas

20010626.01

Ignacio Coupeau
CTI, University of Navarra

Under absolute construction

Main section: Samba-PDC LDAP TNG howto

Sections:

TNG "old schema" for openldap 2.x

The schema's diffs (roughly)

TNG AD new schema

The schemas unveiled

Sources
Notes

TNG "old" schema openldap 2.x [toc]

ToDo
Please, you must replace our OID (1.3.6.1.4.1.7114)with your OID or the TNG Official OID 9183. At this moment, I wrote the mine because this schema is only for my tests ;-)
Note that in the future schema the uidNumber and the guidNumber attributes should be fetched via getpw*() routines, so they may disappear from the schema.

Compiling
To compile the openldap-2.0.x in RedHat 6.2, if you obtain a dn_ error, you must add the -lresolv library:

LIBS=-lreadline -lcurses -ldl -lcrypt -lldap -llber -lresolv

The Schema changes
I replaced the member with sambaMember, because the syntax: member:
<member_id>,<rid>,<class>
is not compatible with the core/cosine "member".

Also, in in the code, you will replace the atrr name from member to sambaMember in several places. I think the TNG people is going to fix it, but you should test it:

./groupdb/aliasldap.c-DIST
./groupdb/builtinldap.c-DIST
./groupdb/groupldap.c-DIST

diff ./groupdb/aliasldap.c-DIST ./groupdb/aliasldap.c
78c78
<       if(values = ldap_get_values(ldap_struct, ldap_entry, "member")) {
---
>       if(values = ldap_get_values(ldap_struct, ldap_entry, "sambaMember")) {
158c158
<       ldap_make_mod(mods, operation, "member", member);
---
>       ldap_make_mod(mods, operation, "sambaMember", member);
370c370
<                "(&(member=%s,*)(objectclass=sambaAlias))", name);
---
>                "(&(sambaMember=%s,*)(objectclass=sambaAlias))", name);
diff ./groupdb/builtinldap.c-DIST ./groupdb/builtinldap.c
78c78
<       if(values = ldap_get_values(ldap_struct, ldap_entry, "member")) {
---
>       if(values = ldap_get_values(ldap_struct, ldap_entry, "sambaMember")) {
159c159
<       ldap_make_mod(mods, operation, "member", member);
---
>       ldap_make_mod(mods, operation, "sambaMember", member);
371c371
<                "(&(member=%s,*)(objectclass=sambaBuiltin))", name);
---
>                "(&(sambaMember=%s,*)(objectclass=sambaBuiltin))", name);
diff ./groupdb/groupldap.c-DIST ./groupdb/groupldap.c
81c81
<       if(values = ldap_get_values(ldap_struct, ldap_entry, "member")) {
---
>       if(values = ldap_get_values(ldap_struct, ldap_entry, "sambaMember")) {
164c164
<       ldap_make_mod(mods, operation, "member", member);
---
>       ldap_make_mod(mods, operation, "sambaMember", member);
383c383
<                "(&(member=%s,*)(objectclass=sambaGroup))", name);
---
>                "(&(sambaMember=%s,*)(objectclass=sambaGroup))", name);

Proposed ldap v3 schema

# req. core (uid, etc).
# req. cosine (organization)

attributetype ( 1.3.6.1.4.1.7114.2.1.1 NAME 'sambaMember'
        DESC 'samba member'
#       EQUALITY caseIgnoreIA5Match
#       From: "Rodney Barnett" <rbarnett@neuromics.com>
#       Date: Thu, 5 Apr 2001 08:43:16 -0500
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )

attributetype ( 1.3.6.1.4.1.7114.2.1.2 NAME 'uidNumber'
        DESC 'Unix user ID-number'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7114.2.1.3 NAME 'ntuid'
        DESC 'NT user ID'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7114.2.1.4 NAME 'rid'
        DESC 'NT hex RID'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7114.2.1.5 NAME 'gidNumber'
        DESC 'Unix group ID'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7114.2.1.6 NAME 'grouprid'
        DESC 'NT group RID'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7114.2.1.7 NAME 'sid'
        DESC 'NT SID'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7114.2.1.8 NAME 'lmPassword'
        DESC 'LanManager Passwd'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )

attributetype ( 1.3.6.1.4.1.7114.2.1.9 NAME 'ntPassword'
        DESC 'nt Passwd'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )

attributetype ( 1.3.6.1.4.1.7114.2.1.10 NAME 'pwdLastSet'
        DESC 'NT pwdLastSet'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} )

attributetype ( 1.3.6.1.4.1.7114.2.1.11 NAME 'pwdCanChange'
        DESC 'NT pwdCanChange'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} )

attributetype ( 1.3.6.1.4.1.7114.2.1.12 NAME 'pwdMustChange'
        DESC 'NT pwdMustChange'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} )

attributetype ( 1.3.6.1.4.1.7114.2.1.13 NAME 'smbHome'
        DESC 'smbHome'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )

attributetype ( 1.3.6.1.4.1.7114.2.1.14 NAME 'homeDrive'
        DESC 'smbHome'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} )

attributetype ( 1.3.6.1.4.1.7114.2.1.15 NAME 'script'
        DESC 'script'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )

attributetype ( 1.3.6.1.4.1.7114.2.1.16 NAME 'profile'
        DESC 'profile'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )

attributetype ( 1.3.6.1.4.1.7114.2.1.17 NAME 'acctFlags'
        DESC 'acctFlags'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} )

attributetype ( 1.3.6.1.4.1.7114.2.1.18 NAME 'nextrid'
        DESC 'nextrid'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7114.2.1.19 NAME 'id'
        DESC 'ldap admin user ID'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7114.2.1.20 NAME 'logonTime'
        DESC 'logonTime'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7114.2.1.21 NAME 'logoffTime'
        DESC 'logoffTime'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7114.2.1.22 NAME 'kickoffTime'
        DESC 'kickoffTime'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} SINGLE-VALUE )

objectclass     ( 1.3.6.1.4.1.7114.2.2.1
    NAME 'sambaAccount'
        DESC 'Provisional sambaAccount'
    SUP top
    STRUCTURAL
        MUST ( ObjectClass $ uid $ uidNumber $ ntuid $ rid )
        MAY (
                gidNumber $ grouprid $ ou $ cn $ description $
                lmPassword $ ntPassword $
                pwdLastSet $ pwdCanChange $ pwdMustChange $
                logonTime $ logoffTime $ kickoffTime $
                smbHome $ homeDrive $ script $ profile $ acctFlags )
)

objectclass     ( 1.3.6.1.4.1.7114.2.2.2
    NAME 'sambaGroup'
        DESC 'Provisional sambaGroup'
    SUP top
    STRUCTURAL
        MUST ( ObjectClass $ cn $ rid )
        MAY ( ntuid $ sambaMember $ description )
)

objectclass     ( 1.3.6.1.4.1.7114.2.2.3
    NAME 'sambaBuiltin'
        DESC 'Provisional sambaBuiltin'
    SUP top
    STRUCTURAL
        MUST ( ObjectClass $ cn )
        MAY ( sid $ rid $ sambaMember $ ntuid $ description )
)

objectclass     ( 1.3.6.1.4.1.7114.2.2.4
    NAME 'sambaConfig'
        DESC 'Provisional sambaConfig'
    SUP top
    STRUCTURAL
        MUST ( ObjectClass $ id $ nextrid )
)

objectclass     ( 1.3.6.1.4.1.7114.2.2.5
    NAME 'sambaAlias'
        DESC 'Provisional sambaAlias'
    SUP top
    STRUCTURAL
        MUST ( ObjectClass $ cn )
        MAY ( sid $ rid $ sambaMember $ ntuid $ description )
)
--

The schema that sounds as official may be (modified by Armin Herbert, Barnet, Mirko Manea, Joe Little & others)

--
# sambatng.schema       - Version 0.0.1         - 2001/04/17    - herbert
#
# Copyrights:
#       Ignacio Coupeau <icoupeau@unav.es>      (original author)
#       Joe Little <jlittle@cis.Stanford.EDU>   (improvements)
#       Armin Herbert <herbert@ph-freiburg.de> (merging)
#
# Samba TNG - LDAPv3 schema
#
# Requires:
#       core.schema
#       cosine.schema
#       nis.schema    (uidnumber and gidnumber)
#
# Provides:
#       1.3.6.1.4.1.9183.2      = NT4DOM specs for use with --with-ldap

attributetype ( 1.3.6.1.4.1.9183.2.1.1 NAME 'sambaMember'
        DESC 'samba member'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )

#attributetype ( 1.3.6.1.4.1.9183.2.1.2 NAME 'uidNumber'
#       DESC 'Unix user ID-number'
#       EQUALITY integerMatch
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9183.2.1.3 NAME 'ntuid'
        DESC 'NT user ID'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9183.2.1.4 NAME 'rid'
        DESC 'NT hex RID'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} SINGLE-VALUE )

#attributetype ( 1.3.6.1.4.1.9183.2.1.5 NAME 'gidNumber'
#       DESC 'Unix group ID'
#       EQUALITY integerMatch
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9183.2.1.6 NAME 'grouprid'
        DESC 'NT group RID'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9183.2.1.7 NAME 'sid'
        DESC 'NT SID'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9183.2.1.8 NAME 'lmPassword'
        DESC 'LanManager Passwd'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )

attributetype ( 1.3.6.1.4.1.9183.2.1.9 NAME 'ntPassword'
        DESC 'nt Passwd'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
attributetype ( 1.3.6.1.4.1.9183.2.1.10 NAME 'pwdLastSet'
        DESC 'NT pwdLastSet'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} )

attributetype ( 1.3.6.1.4.1.9183.2.1.11 NAME 'pwdCanChange'
        DESC 'NT pwdCanChange'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} )

attributetype ( 1.3.6.1.4.1.9183.2.1.12 NAME 'pwdMustChange'
        DESC 'NT pwdMustChange'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} )

attributetype ( 1.3.6.1.4.1.9183.2.1.13 NAME 'smbHome'
        DESC 'smbHome'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )

attributetype ( 1.3.6.1.4.1.9183.2.1.14 NAME 'homeDrive'
        DESC 'smbHome'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} )

attributetype ( 1.3.6.1.4.1.9183.2.1.15 NAME 'script'
        DESC 'script'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )

attributetype ( 1.3.6.1.4.1.9183.2.1.16 NAME 'profile'
        DESC 'profile'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )

attributetype ( 1.3.6.1.4.1.9183.2.1.17 NAME 'acctFlags'
        DESC 'acctFlags'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} )

attributetype ( 1.3.6.1.4.1.9183.2.1.18 NAME 'nextrid'
        DESC 'nextrid'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9183.2.1.19 NAME 'id'
        DESC 'ldap admin user ID'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9183.2.1.20 NAME 'logonTime'
        DESC 'logonTime'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9183.2.1.21 NAME 'logoffTime'
        DESC 'logoffTime'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9183.2.1.22 NAME 'kickoffTime'
        DESC 'kickoffTime'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} SINGLE-VALUE )

objectclass ( 1.3.6.1.4.1.9183.2.2.1
        NAME 'sambaAccount'
        DESC 'Provisional sambaAccount'
        SUP top
        STRUCTURAL
        MUST ( ObjectClass $ uid $ uidNumber $ ntuid $ rid )
        MAY ( gidNumber $ grouprid $ ou $ cn $ description $
                lmPassword $ ntPassword $
                pwdLastSet $ pwdCanChange $ pwdMustChange $
                logonTime $ logoffTime $ kickoffTime $
                smbHome $ homeDrive $ script $ profile $ acctFlags ) )

objectclass ( 1.3.6.1.4.1.9183.2.2.2
        NAME 'sambaGroup'
        DESC 'Provisional sambaGroup'
        SUP top
        STRUCTURAL
        MUST ( ObjectClass $ cn $ rid )
        MAY ( ntuid $ sambaMember $ description ) )

objectclass ( 1.3.6.1.4.1.9183.2.2.3
        NAME 'sambaBuiltin'
        DESC 'Provisional sambaBuiltin'
        SUP top
        STRUCTURAL
        MUST ( ObjectClass $ cn )
        MAY ( sid $ rid $ sambaMember $ ntuid $ description ) )

objectclass ( 1.3.6.1.4.1.9183.2.2.4
        NAME 'sambaConfig'
        DESC 'Provisional sambaConfig'
        SUP top
        STRUCTURAL
        MUST ( ObjectClass $ id $ nextrid ) )

objectclass ( 1.3.6.1.4.1.9183.2.2.5
        NAME 'sambaAlias'
        DESC 'Provisional sambaAlias'
        SUP top
        STRUCTURAL
        MUST ( ObjectClass $ cn )
        MAY ( sid $ rid $ sambaMember $ ntuid $ description ) )

The schema's diffs (roughly) [toc]

Samba-TNG	Samba 2.x (old)	Active Directory	Comments	ObjectClass
accountExpires	-	accountExpires	The accountExpires property specifies when the account will expire. This value is stored as a large integer that represents the number of seconds elapsed since 00:00:00, January 1, 1970. A value of TIMEQ_FOREVER indicates that the account never expires.
cn	cn	`cn`	Specify the name of the user object in the directory. This will be the object's relative distinguished name (RDN) within the container where you create the user.
dBCSPwd	lmPassword	dBCSPwd	`dBCSPwd` roughly maps to `lmPassword`, but the syntax is different (and will be very different in the final version)
description	description	`description`	The description property is a single-valued property that contains the description to display for the user.
displayName	-	`displayName`	`(Display-Name)` The displayName is the name displayed in the address book for a particular user. This is usually the combination of the users first name, middle initial, and last name. DisplayName is a textual description of the user, ie. its full name, d`n`, instead, is the distinguished name. `if not "displayName" is avalaible, then uses the "cn" as &usr->uni_full_name`

dn	dn	dn	`dn` is the distinguished name. `displayName`/`dn` are _not_ related.
dNSHostName	-	dNSHostName	`dnsHostName` is a computer in the directory's address, not the server address ---- `sComputer = Server.Get("dNSHostName")` `"Display the DNS name for the computer: "` --- Get the dNSHostName property of the server object. This is the DNS name of the DC containing the schema master
gECOS	-	`n/a`	unix real name in Unix (getpwent, setpwent, endpwent...)
gidNumber	gidNumber	`n/a`	unix unix group number
(grouprid)	grouprid	(grouprid)	`groupRid` is absorbed into the `objectSid` attribute
groupType	-	groupType	`groupType` is _not_ `groupRid`. `groupRid` is absorbed into the `objectSid` attribute. `groupType` is a new attribute. Note that ADS_* in NT5 are renamed NTDS_* in Samba. In NT5 domains, there is single class called group for all group scopes (Domain Local, Global, Universal) and types (security, distribution). `Global Security :` `NDS_GROUP_TYPE_GLOBAL_GROUP \| NTDS_GROUP_TYPE_SECURITY_ENABLED` `Domain Local Security : NTDS_GROUP_TYPE_DOMAIN_LOCAL_GROUP \| NTDS_GROUP_TYPE_SECURITY_ENABLED` `Universal Security : NTDS_GROUP_TYPE_UNIVERSAL_GROUP \| NTDS_GROUP_TYPE_SECURITY_ENABLED` `Global Distribution : NTDS_GROUP_TYPE_GLOBAL_GROUP` `Domain Local Distribution : NTDS_GROUP_TYPE_DOMAIN_LOCAL_GROUP` `Universal Distribution :` `NTDS_GROUP_TYPE_UNIVERSAL_GROUP` ... `NTDS_GROUP_TYPE_BUILTIN_GROUP` `NTDS_UF_SCRIPT` `NTDS_UF_ACCOUNTDISABLE` `NTDS_UF_HOMEDIR_REQUIRED` `NTDS_UF_LOCKOUT` `NTDS_UF_PASSWD_NOTREQD` `NTDS_UF_PASSWD_CANT_CHANGE` `NTDS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED` `NTDS_UF_TEMP_DUPLICATE_ACCOUNT` `NTDS_UF_NORMAL_ACCOUNT` `NTDS_UF_INTERDOMAIN_TRUST_ACCOUNT` `NTDS_UF_WORKSTATION_TRUST_ACCOUNT` `NTDS_UF_DONT_EXPIRE_PASSWD` `NTDS_UF_MNS_LOGON_ACCOUNT` `NTDS_UF_SMARTCARD_REQUIRED` `NTDS_UF_TRUSTED_FOR_DELEGATION` `NTDS_UF_NOT_DELEGATED` `NTDS_UF_USE_DES_KEY_ONLY` `NTDS_UF_DONT_REQUIRE_PREAUTH`	`G`
`homeDirectory`	smbHome	`homeDirectory`	The homeDirectory property specifies the path of the home directory for the user. The string can be null. If homeDrive is set and specifies a drive letter, homeDirectory should be a UNC path. The path must be a network UNC path of the form `\\server\share\directory`. This value can be a null string. If homeDrive is not set, homeDirectory should be a local path (such as C:\mylocaldir).
homeDrive	homeDrive	`homeDrive`	The homeDrive property specifies the drive letter to which to map the UNC path specified by homeDirectory. The drive letter must be specified in the following form: driveletter: where driveletter is the letter of the drive to map. For example: Z: If this property is not set, the homeDirectory should be a local path (such as C:\mylocaldir).
-	id	-	(see `user`)
kickoffTime	-	kickoffTime	...when the user will be told "you're going to be logged out, soon, or now.
lastLogon	-	`lastLogon`	(Non-replicated) The lastLogon property specifies when the last logon occurred. This value is stored as a large integer that represents the number of seconds elapsed since 00:00:00, January 1, 1970. This property is maintained separately on each domain controller in the domain. A value of zero means that the last logon time is unknown. To get an accurate value for the user's last logon in the domain, each domain controller in the domain must be queried and the largest value should be used.
loginShell	-	`n/a`	unix unix login shell
logonHours	-	logonHours	timetable allowed
member	member	member	The members of a group are stored in a multi-valued property called member. The group membership may potentially contain a large number of values. This can be inconvenient or even impossible when the number of values in a multi-valued attribute becomes very large.	G
memberOf	-	`memberOf`	The memberOf property is a multi-valued property that contains groups of which the user is a direct member, depending on the domain controller (DC) from which this property is retrieved: * At a DC for the domain containing the user, memberOf for the user is complete with respect to membership for groups in that domain; however, memberOf does not contain the user's membership in domain local and global groups in other domains. * At a GC server, memberOf for the user is complete with respect to all universal group memberships. If both conditions are true about the DC, both sets of information are contained in memberOf. Note that this property lists the groups that contain the user in their member property—it does not contain the recursive list of nested predecessors. For example, if user O is a member of group C and group B and group B were nested in group A, the membersOf property of user O would list group C and group B but not group A. This property is not stored—it is a computed back-link attribute.
mSSFUName	-	n/a	Is the unix-name: either `mSSFUName` or `uid` can specify the unix account name
name	-	name	name `RDN` is the `cn`.
nETBIOSName	-	nETBIOSName	In addition to the dnsRoot (DNS name of the domain) and nCName (distinguished name for the domain) properties, the crossRef object also contains the nETBIOSName (NetBIOS name of the domain) and trustParent (distinguished name for the crossRef object representing the domain's direct parent domain) properties. Active Directory can also have external cross references that refer to objects outside of the forest. External cross references must be added explicitly by an administrator. Note that the target server of the external cross reference must have a DNS root, that is, it must adhere to `RFC 2247`. The NetBIOS name of a computer is the sAMAccountName property of a computer object. If there are no values set, it indicates that there is no restriction. To disable logons from all computers running Windows NT Workstation/Windows 2000 Professional to this account, set the `UF_ACCOUNTDISABLE` value in `userAccountControl` property. This value is defined in `LMACCESS.H`.
nextRid	nextrid	n/a	unix, samba-internal
-	nickname	-
-	ntuid	-
`objectClass` `computer` `group` `organizationalPerson` `person` `posixAccount` `samDomain` `domain` `securityPrincipal` `top` `user`	`objectClass` `sambaAlias` `sambaBuiltin` `sambaGroup` `sambaAccount`	`objectClass` `computer` `group` `organizationalPerson` `person` `samDomain` `securityPrincipal` `top` `user`	tipical `objectClass` filters: `(objectClass=Group)(groupType=%d)` `(objectClass=Group)(sAMAccountName=%s)(groupType=%d)` `(objectClass=Group)(gidNumber=%d)(groupType=%d)` `(objectClass=Group)(member=%s)(groupType=%d)`
objectGuid	-	`objectGUID`	(Object-GUID) The objectGUID property is a single-valued property that is the unique identifier for the object. This property is a Globally Unique Identifier (GUID). When an object is created in the directory, Active Directory generates a GUID and assigns it to the object's objectGUID property. The GUID is unique across the enterprise and anywhere else. The objectGUID is a 128-bit GUID structure stored as an OctetString. Because an object's distinguished name changes if the object is renamed or moved, the domain name is not a reliable identifier for an object. In Active Directory, an object’s objectGUID property is never changed, even if the object is renamed or moved to different places. Note that you can retrieve the string form of the objectGUID using the IADs::get_GUID method.
objectSid	-	`objectSid`	(Object-Sid) The objectSid property is a single-valued property that specifies the security identifier (SID) of the user. The SID is a unique value used to identify the user as a security principal. It is a binary value that is set by the system when the user is created. Each user has a unique SID issued by a Windows 2000 domain and stored in objectSid property of the user object in the directory. Each time a user logs on, the system retrieves the user's SID from the directory and places it in the user's access token. The user's SID is also used to retrieve the SIDs for the groups of which the user is a member and places them in the user's access token. The system uses the SIDs in the user's access token to identify the user and his/her group memberships in all subsequent interactions with Windows NT security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group.
-	ou	`-`	Groups vs. Organizational Units Groups are distinct from organizational units (OUs). OUs are useful for creating a hierarchy for administrative delegation or setting group policy. Groups are used for granting access and creating distribution lists. Groups and organizational units also differ in regard to the domain boundaries to which they are applied. You can create groups to contain users, computers, or shared resources on a local server, a single domain, or multiple domains in a forest. Organizational units represent a collection of objects (including group objects) only within the context of a single domain. Users can be placed in any container or organizational unit in a domain as well as the root of the domain. This means that users can be in numerous locations in the directory hierarchy. You can perform a deep search for (objectCategory=user) to find all users in a container, organizational unit, domain, domain tree, or forest—depending on the object that the IDirectorySearch pointer you're using is bound to.
primaryGroupId	-	`primaryGroupID`	The primaryGroupID property is a single-valued property containing the relative identifier (RID) for the primary group of the user. By default, this is the RID for the Domain Users group. This property is not used in the context of the Active Directory.
`profilePath`	`profile`	`profilePath`	The profilePath property specifies a path to the user's profile. This value can be a null string, a local absolute path, or a UNC path.
pwdCanChange	pwdCanChange	pwdCanChange	`see: userAccountControl`
pwdLastSet	pwdLastSet	`pwdLastSet`	The pwdLastSet property specifies when the user last set the password. This value is stored as a large integer that represents the number of seconds elapsed since 00:00:00, January 1, 1970. The system uses the value of this property and the maxPwdAge property of the domain containing the user object to calculate the password expiration date (sum of pwdLastSet for the user and maxPwdAge of the user's domain). controls whether the user must change the password the next time the user logs on. Default is 0. Zero(0) means the user must change the password at next logon. The value -1 means the user does not need to change the password at next logon. The system sets this value to -1 after user has set the password.
-	pwdMustChange	-
-	rid	-	It is not used
sAMAccountName	-	`sAMAccountName`	(SAM-Account-Name) The sAMAccountName property is a single-valued property that is the logon name used to support clients and servers from a previous version of Windows (such as Windows NT® 4.0 and earlier, Windows 95, Windows 98, and LAN Manager). Note that the sAMAccountName should be less than 20 characters to support these clients and servers. The sAMAccountName must be unique among all security principal objects within the domain. You should query for the new name against the domain to verify that the sAMAccountName is unique in the domain. The sAMAccountName must be unique among all security principal objects within a domain container.
`(objectClass=Group)`	sambaBuiltin sambaConfig `sambaGroup`	`-`	`For different types of groups, groupType is set differently.` `(objectClass=Group)(groupType=%d)` `(objectClass=Group)(sAMAccountName=%s)(groupType=%d)` `(objectClass=Group)(gidNumber=%d)(groupType=%d)` `(objectClass=Group)(member=%s)(groupType=%d)` `/* groupType */` `typedef enum` `{` `NTDS_GROUP_TYPE_BUILTIN_GROUP = 0x00000001,` `NTDS_GROUP_TYPE_GLOBAL_GROUP = 0x00000002,` `NTDS_GROUP_TYPE_DOMAIN_LOCAL_GROUP = 0x00000004,` `NTDS_GROUP_TYPE_UNIVERSAL_GROUP = 0x00000008,` `NTDS_GROUP_TYPE_SECURITY_ENABLED = 0x80000000` `} NTDS_GROUP_TYPE_ENUM;`
scriptPath	script	`scriptPath`	The scriptPath property specifies the path of the user's logon script, .`CMD`, .EXE, or .BAT file. The string can be null.
servicePrincipalName	-	servicePrincipalName	are preserved by not used by SAMBA User or computer class objects have a servicePrincipalName attribute, which is a multi-valued attribute for storing all the SPNs associated with a user or computer account. If the service runs under a user account, the SPNs are stored in the servicePrincipalName attribute of that account. If the service runs in the LocalSystem account, the SPNs are stored in the servicePrincipalName attribute of the account of the service’s host computer.
sid	sid	sid	Octet string containing a security identifier (SID).
uid	uid	n/a	unix id user
uidNumber	uidNumber	n/a	unix id number
`unicodePwd`	`ntPassword`	`unicodePwd`	`unicodePwd` was `ntPassword` but with different syntax. The `unicodePwd` property is the password for the NT user. `if (ldapdb_get_value_len(hds, "dBCSPwd", &bv))` `if (!berval_to_unicodepwd(bv, usr->lm_pwd))`
`user`	`sambaAccount`	`user`	`(objectClass=User)`
userAccountControl	acctFlags	`userAccountControl`	`userAccountControl` replaces `acctFlags`, but the syntax is different. The flags are defined in `LMACCESS.h, where` `UF_` was replaced by `NTDS_UF_` The userAccountControl property specifies flags that control password, lockout, disable/enable, script, and home directory behavior for the user. This property also contains a flag that indicates the account type of the object. The user object usually has the `UF_NORMAL_ACCOUNT` set. `NTDS_UF_SCRIPT` : The logon script executed. This value must be set for LAN Manager 2.0 or Windows NT. `NTDS_UF_ACCOUNTDISABLE :` The user's account is disabled. `NTDS_UF_HOMEDIR_REQUIRED :` The home directory is required. This value is ignored in Windows NT and Windows 2000. `NTDS_UF_LOCKOUT` : The account is currently locked out. This value can be cleared to unlock a previously locked account. This value cannot be used to lock a previously locked account. `NTDS_UF_PASSWD_NOTREQD` : No password is required. `NTDS_UF_PASSWD_CANT_CHANGE` : The user cannot change the password. `NTDS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED` `NTDS_UF_TEMP_DUPLICATE_ACCOUNT:` This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. The User Manager refers to this account type as a local user account. `NTDS_UF_NORMAL_ACCOUNT:` This is a default account type that represents a typical user. `NTDS_UF_INTERDOMAIN_TRUST_ACCOUNT` : This is a permit to trust account for a Windows NT domain that trusts other domains. `NTDS_UF_WORKSTATION_TRUST_ACCOUNT`: This is a computer account for a Windows NT Workstation/Windows 2000 Professional or Windows NT Server/Windows 2000 Server that is a member of this domain. `NTDS_UF_SERVER_TRUST_ACCOUNT` : This is a computer account for a Windows NT Backup Domain Controller that is a member of this domain. `NTDS_UF_DONT_EXPIRE_PASSWD` : Represents the password, which should never expire on the account. `NTDS_UF_MNS_LOGON_ACCOUNT` `NTDS_UF_SMARTCARD_REQUIRED` `NTDS_UF_TRUSTED_FOR_DELEGATION` `NTDS_UF_NOT_DELEGATED` `NTDS_UF_USE_DES_KEY_ONLY` `NTDS_UF_DONT_REQUIRE_PREAUTH`
userPrincipalName	-	`userPrincipalName`	are preserved by not used by SAMBA The userPrincipalName is a single-valued that is a string that specifies the user principal name (UPN) of the user. The UPN is an Internet-style login name for the user based on the Internet standard RFC 822. The UPN is shorter than the distinguished name and easier to remember. By convention, this should map to the user's e-mail name. The point of the UPN is to consolidate the e-mail and logon namespaces so that the user need only remember a single name. The UPN is the preferred logon name for Windows 2000 users. Users should be using their UPNs to log on to the domain. At logon time, a UPN is validated first by searching the local domain, then the global catalog. Failure to find the UPN in the local domain or the GC results in rejection of the UPN. The user principal name has two parts: the UPN prefix (the user account name) and the UPN suffix (a DNS domain name). The parts are joined together by the @ (at sign) symbol to make the complete UPN. For example, the user Someone who has an account in the Arcadiabay domain would have a UPN of someone@arcadiabay.com. The UPN must be unique among all security principal objects within the directory forest. By default (that is, for the built-in user accounts and user accounts created using the Active Directory Users and Computers snap-in), the UPN can consist of any name for the user (such as the sAMAccountName property of the user) and the domain tree name to which the user belongs in the following form: Name@treeName The treeName is the domain name system (DNS) name of a domain, but is not required to be the name of the domain containing the user. When creating a new user object, you should check the local domain and the global catalog for the proposed name to ensure it does not already exist.
userWorkstations	workstations	`userWorkstations`	The userWorkstations property is a single-valued property containing the NetBIOS names of the computers running Windows NT Workstation/Windows 2000 Professional from which the user can log on. Each NetBIOS name is separated by a comma. The NetBIOS name of a computer is the sAMAccountName property of a computer object. If there are no values set, it indicates that there is no restriction. To disable logons from all computers running Windows NT Workstation/Windows 2000 Professional to this account, set the `UF_ACCOUNTDISABLE` value in userAccountControl property. This value is defined in LMACCESS.H.

TNG AD "new" schema [toc]