The task was to add samba attributes to existing users in LDAP. The easy way is to do it via 'smbpasswd -a', though this will require various samba packages to be installed, and a samba config, and the ability of the LDAP server to look up users locally as LDAP users...(changes to pam in other words). This server was a production master LDAP server, so I wanted to see if I could do it without additional software and other changes like the one to PAM, and the obvious way was via 'ldapmodify'. First attempts failed, as I thought I could just add the objectClass first, and then the mandatory attribute, which is 'sambaSID' (as it says in /etc/openldap/schema/samba.schema: MUST ( uid $ sambaSID ).
contents of ldif:
dn: uid=jon.smith,ou=Oslo,ou=People,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: sambaSAMAccount
ldapmodify -x -D "uid=my.user,ou=Oslo,ou=People,dc=example,dc=com" -W -f m8.ldif
Enter LDAP Password:
modifying entry "uid=jon.smith,ou=Oslo,ou=People,dc=example,dc=com"
ldapmodify: Object class violation (65)
additional info: object class 'sambaSamAccount' requires attribute 'sambaSID'
So, I tried just adding the necessary attribute to the ldif as an additional change, but it still failed
modifying entry "uid=jon.smith,ou=Oslo,ou=People,dc=example,dc=com"
ldapmodify: Object class violation (65)
additional info: attribute 'sambaSID' not allowed
There is a special way to add an objectClass, as I found on:
http://www.zytrax.com/books/ldap/ch8/index.html#samples
I had to include all the existing objectclasses in the modify, as well as the new one, plus the necessary attribute:
dn: uid=jon.smith,ou=Oslo,ou=People,dc=example,dc=com
changetype: modify
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: specialObjectClassUser
objectClass: sambaSamAccount
sambaSID: S-1-5-21-1096379175-3498632652-1565186858-17768
To add all of the attributes (not sure whether it is worth including all of these, but anyway):
dn: uid=jon.smith,ou=Oslo,ou=People,dc=example,dc=com
changetype: modify
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: specialObjectClassUser
objectClass: sambaSamAccount
sambaSID: S-1-5-21-1096379175-3498632652-1565186858-17768
sambaPasswordHistory: 0000000000000000000000000000000000000000000000000000000000000000
sambaAcctFlags: [U ]
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaLMPassword: 7E9Q28366B3F5C82AAD3B435B51404EE
sambaNTPassword: 42AZ499C5146E4F9BF017649A4756013
sambaPwdLastSet: 1255018017
sambaPwdMustChange: 1258906017
I have written a script in perl which can generate LDIFs, complete with randomised password hashes, and lookup of a user's UID to calculate sambaSID
Thursday, November 19, 2009
Subscribe to:
Posts (Atom)