AD Schema Update IPBrick iPortalMais October 2006 2 c Copyright iPortalMais All rights reserved. October 2006. The information in this document can be changed without further notice. The declarations, technical data, configurations and recommendations of this document are supposedly precise and reliable, but they are presented with no expressed or implicit warranty. AD Schema Update iPortalMais - 2006 Contents 1 Active Directory - LDAP 1.1 Microsoft Services For Unix . . . . . 1.2 Active Directory - Schema SNAP-IN 1.3 Windows 2003 Server Support Tools 1.4 AutoFS LDAP Schema . . . . . . . . 1.4.1 Schema Definitions . . . . . . 1.4.2 AD Schema Registration . . . 1.4.3 Organizational Unit . . . . . . 1.4.4 Anonymous Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 5 8 8 9 9 9 13 14 2 IPBrick 15 2.1 AD Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.2 IPBrick Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 16 iPortalMais - 2006 AD Schema Update 4 AD Schema Update CONTENTS iPortalMais - 2006 Chapter 1 Active Directory - LDAP 1.1 Microsoft Services For Unix The MS Services for Unix software can be obtained from Microsft Website at: http://www.microsoft.com/windowsserversystem/sfu/ http://www.microsoft.com/windowsserversystem/sfu/downloads/default.asp You must login with a msn passport, the same account information that enables you to login to msn messenger. The file size is about 217.6 MB and it is an autoexecutable zip file. To install, you must follow these steps: 1. Download the file to the server; 2. Uncompress it to c:\tempsfu; 3. Now you must close all MMC consoles as well as any Active Directory managment windows you might have open; 4. Execute c:\tempsfu\setup.exe (you can delete this file later) 5. Select all the default options - Do not write anything in any of the fields; 6. For the modifications to take place, you must reboot the server. This can be done at the end. In the domain controllers where you want to create users, you must install this software. It adds tabs to the Active Directory that allow the edition and management of unix properties, like User Identification (UID) and Group Identification (GID) of objects like groups, users and machines. After finishing installing the software, it’s necessary to specify the Unix Attributes for: • Users; • Groups; iPortalMais - 2006 AD Schema Update 6 Active Directory - LDAP Figure 1.1: Administrators group properties That can be done in AD - Users and Computers. For groups (Figure 1.1) you need to specify this fields: • Nis Domain: it’s the AD domain (in example: iporatal2003); • GID: user identification (group id); More information: • GID Domain Users : 513; • GID Domain Admin : 512. • UID administrator : 10000 Only after the definition of Unix Attributes for groups, it’s possible to define the Unix Attributes for users, because each user have a Primary Group ID. For users (Figure 1.2) its necessary to specify the following information: AD Schema Update iPortalMais - 2006 1.1 Microsoft Services For Unix 7 Figure 1.2: IPBrick as AD member - Users • Nis Domain: it’s the AD domain (in example: iporatal2003); • UID: user identification (user id); • Home Directory: the user directory; • Primary Group: the user group; ⇒ Note: To migrate groups to IPBrick including the users that belong to those groups, it’s necessary that: • The groups have the Unix Attributes defined; • The users members of this groups have the Unix Attributes defined; iPortalMais - 2006 AD Schema Update 8 Active Directory - LDAP • The users should be added to groups in: User Properties, Member of. 1.2 Active Directory - Schema SNAP-IN To enable working in LDAP schema in AD, you must activate the correct MMC Snap-In. This must be done one time per server as follows: start -> run regsvr32 schmmgmt.dll To access the snap-in, follow the steps: 1. Start -> Run : mmc 2. File -> Add/Remove Snap-in 3. Add 4. Active Directory Schema 5. Add 6. Close 7. Ok 1.3 Windows 2003 Server Support Tools A tool named ADSI Edit will be necessary. ADSI Edit is part of Windows 2003 Server Support Tools. To use this tool you must install Windows 2003 Server Support Tools, and then: 1. press START -> Run : mmc 2. File -> Add/Remove Snap-in 3. Add 4. ADSI Edit 5. Add 6. Close 7. Ok If you want to work locally at the server, you must: 1. Right click at ADSI Edit AD Schema Update iPortalMais - 2006 1.4 AutoFS LDAP Schema 9 2. Select Connect To... 3. Then you should check: • Connection Point: Domain and/or Configuration • Computer: Default or Domain domain.com NOTA: Until the end of this chapter, we’ll work with Connection Point checked for Domain or Configuration. 1.4 AutoFS LDAP Schema You must register the schema of Automount service at LDAP. 1.4.1 # # # # # Schema Definitions OID Base is 1.3.6.1.4.1.2312.4 Attribute types are under 1.3.6.1.4.1.2312.4.1 Object classes are under 1.3.6.1.4.1.2312.4.2 Syntaxes are under 1.3.6.1.4.1.2312.4.3 # Attribute Type Definitions attributetype ( 1.3.6.1.1.1.1.25 NAME ’automountInformation’ DESC ’Information used by the autofs automounter’ EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) objectclass ( 1.3.6.1.1.1.1.9 NAME ’automount’ SUP top STRUCTURAL DESC ’An entry in an automounter map’ MUST ( cn $ automountInformation $ objectclass ) MAY ( description ) ) objectclass ( 1.3.6.1.4.1.2312.4.2.2 NAME ’automountMap’ SUP top STRUCTURAL DESC ’An group of related automount objects’ MUST ( ou ) ) 1.4.2 AD Schema Registration You can choose one of two procedures to register LDAP schema of automount class of LDAP on AD. One of them is manual and the other is automatic. Only one of this should be executed, never both. These two procedures are now explained. iPortalMais - 2006 AD Schema Update 10 Active Directory - LDAP Automatic In this case we’ll use the following file auto.ldf: dn: CN=automountInformation,CN=Schema,CN=Configuration,<DOMAIN_BASE_DN> changetype: add objectClass: top objectClass: attributeSchema cn: automountInformation distinguishedName: CN=automountInformation,CN=Schema,CN=Configuration,<DOMAIN_BASE_DN> instanceType: 4 attributeID: 1.3.6.1.1.1.1.25 attributeSyntax: 2.5.5.5 isSingleValued: TRUE adminDisplayName: automountInformation adminDescription: Information used by the autofs automounter oMSyntax: 22 lDAPDisplayName: automountInformation name: automountInformation objectGUID:: bX2hccX+lkKIq28wzfX4DA== schemaIDGUID:: hW1aZ+cuk0av85ejQRYd3A== objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,<DOMAIN_BASE_DN> showInAdvancedViewOnly: TRUE dn: changetype: modify replace: schemaUpdateNow schemaUpdateNow: 1 dn: CN=automount,CN=Schema,CN=Configuration,<DOMAIN_BASE_DN> changetype: add objectClass: top objectClass: classSchema cn: automount defaultObjectCategory: CN=automount,CN=Schema,CN=Configuration,<DOMAIN_BASE_DN> governsID: 1.3.6.1.1.1.1.9 instanceType: 4 objectCategory: CN=Class-Schema,CN=Schema,CN=Configuration,<DOMAIN_BASE_DN> schemaIDGUID:: beDUWpwClU2UTzStxwtdVw== subClassOf: top mustContain: automountInformation mustContain: cn AD Schema Update iPortalMais - 2006 1.4 AutoFS LDAP Schema 11 mustContain: objectClass mayContain: description rDNAttID: cn adminDisplayName: automount adminDescription: An entry in an automounter map objectClassCategory: 1 lDAPDisplayName: automount name: automount possSuperiors: container possSuperiors: organizationalUnit showInAdvancedViewOnly: TRUE objectGUID:: 3tsP09E/dEea64uGAcwbsA== systemOnly: FALSE defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY) (A;;RPLCLORC;;;AU) dn: changetype: modify replace: schemaUpdateNow schemaUpdateNow: 1 It is necessary to change <DOMAIN_BASE_DN> to the domain you’re using. As an example, if you are using a domain named domain.com you should have: DC=domain,DC=com Procedure: 1. At Schema Master Server you must have the permission to update AD schema. To do this you must use the registry editor (Start -> Run -> regedt32 ); 2. Find the following key HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services NTDS Parameters - Schema Update Allowed 3. Edit the variable named (Schema Update Allowed); 4. Click at Binary and change its value to 1. At command prompt you must execute the following command to add LDIF to AD: iPortalMais - 2006 AD Schema Update 12 Active Directory - LDAP ldifde -i -k -c CN=Schema,CN=Configuration,DC=domain,DC=com CN=Schema,CN=Configuration,DC=domain,DC=com -s localhost -f auto.ldf \ \ Manual In this case you must enter the Active Directory Schema console and follow these steps: 1. Right click at Attributes and choose Create Attribute; 2. Read the notice and procede; 3. Now you must complete the form (Create New Attribute) with the following values: • Common Name: automountInformation • LDAP Display Name: automountInformation • Unique X500 Object ID: 1.3.6.1.1.1.1.25 • Description: Information used by the autofs automounter • Syntax: IA5-String • OK 4. Right click at Classes and choose Create Class; 5. Read notice and procede; 6. Complete the form (Create New Schema Class) with the following values: • Common Name: automount • LDAP Display Name: automount • Unique X500 Object ID: 1.3.6.1.1.1.1.9 • Description: An entry in an automounter map • Parent Class: top • Class Type: Structural • Next • Mandatory: cn, automountInformation, objectClass • Optional: description • Finish 7. Right click at Classes and choose Create Class; 8. Read notice and procede; 9. Complete the form (Create New Schema Class) with the following values: AD Schema Update iPortalMais - 2006 1.4 AutoFS LDAP Schema 13 • Common Name: automountMap • LDAP Display Name: automountMap • Unique X500 Object ID: 1.3.6.1.4.1.2312.4.2.2 • Description: An group of related automount objects • Parent Class: top • Class Type: Structural • Next • Mandatory: ou • Optional: • Finish As the last task, you must: 1. Select Classes and find class named automount; 2. Right click at automount Class and select properties; 3. Tab Relationship; 4. At Possible Superior add: organizationalUnit and top 5. OK 1.4.3 Organizational Unit The home location of each user is stored in an Organizational Unit (OU). First you must enter ADSI Edit and logon to Domain. Then you should: 1. Rigth click over domain DC=domain,dc=com and choose New Object. 2. Class: organizationalUnit 3. Next 4. Value: auto.home 5. Next 6. Finish iPortalMais - 2006 AD Schema Update 14 Active Directory - LDAP 1.4.4 Anonymous Access Its mandatory to allow anonymous access to LDAP information. This can be done trought ADSI Edit, Configuration. 1. Rigth click over the following entrance and select Properties; CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domain,D 2. Edit the variable named dsHeuristics and change the seventh digit to the value 2, as in the following example: Original Value - Value after edition <Not Set> 0000002 001 0010002 3. OK 4. OK Then you must configure ACLs at OU=auto.home: 1. ADSI Edit - Domain; 2. Select OU=auto.home and right click; 3. Select Properties and choose Security; 4. Add an entrie with the following information: • Add : ANONYMOUS LOGON : Add : Read • Advanced • Select line ANONYMOUS LOGON and Edit... • Alter Apply onto: This object and all child objects • OK • OK Atention: Anonymous logon permissions should be defined only for OU=auto.home and his sons. AD Schema Update iPortalMais - 2006 Chapter 2 IPBrick 2.1 AD Data An easy way to find the necessary Base DNs is using the ADSI Edit tool refered in 1.3. After connecting to server (refered in 1.3), a window like Figure 2.1 appears and the domain in use is visible (dc=iporatal2003,dc=local). Figure 2.1: ASDI Edit - Domain In Figure 2.2 the users BASE DN is visible. In this case is the username administrador. The BASE DN for that user is: cn=administrador,cn=users,dc=iporatal2003,dc=local and the users BASE DN is cn=users,dc=iporatal2003,dc=local. In groups (Figure 2.2), the BASE DN is cn=builtin,dc=iporatal2003,dc=local. iPortalMais - 2006 AD Schema Update 16 IPBrick Figure 2.2: ASDI Edit - Users Figure 2.3: ASDI Edit - Groups 2.2 IPBrick Configuration In IPBrick the configuration should be in agreement to the AD. In the Figure 2.4 example, the junction will be done to a AD with the following AD Schema Update iPortalMais - 2006 2.2 IPBrick Configuration 17 definitions: • AD Server IP Adress: 192.168.69.28 • Netbios Domain: iporatal2003 • Realm: iporatal2003.local • Domain Administrator: administrador; • Password: (do utilizador anterior); • Base DN: dc=iporatal2003,dc=local; • Administrator DN: cn=administrador,cn=users,dc=iporatal2003,dc=local; • Users search Base DN: cn=users,dc=iporatal2003,dc=local; • Groups search Base DN: ou=builtin,dc=iporatal2003,dc=local ! Attention: This data must be as the AD configuration. The data present here is just an example. Contact the AD administrator to know the correctly BASE DN’s, or you can obtain that in thought information in 2.1. Figure 2.4: IPBrick like AD member To access this configuration, in IPBrick interface, go to Advanced Settings IPBrick Authentication section. iPortalMais - 2006 AD Schema Update
© Copyright 2026 Paperzz