AD Schema Update IPBrick iportalmais

Transcription

1 AD Schema Update IPBrick iportalmais October 2006

2 2 Copyright c iportalmais All rights reserved. October The information in this document can be changed without further notice. The declarations, technical data, configurations and recommendations of this document are supposedly precise and reliable, but they are presented with no expressed or implicit warranty. AD Schema Update iportalmais

3 Contents 1 Active Directory - LDAP Microsoft Services For Unix Active Directory - Schema SNAP-IN Windows 2003 Server Support Tools AutoFS LDAP Schema Schema Definitions AD Schema Registration Organizational Unit Anonymous Access IPBrick AD Data IPBrick Configuration iportalmais AD Schema Update

4 4 CONTENTS AD Schema Update iportalmais

5 Chapter 1 Active Directory - LDAP 1.1 Microsoft Services For Unix The MS Services for Unix software can be obtained from Microsft Website at: You must login with a msn passport, the same account information that enables you to login to msn messenger. The file size is about MB and it is an autoexecutable zip file. To install, you must follow these steps: 1. Download the file to the server; 2. Uncompress it to c:\tempsfu; 3. Now you must close all MMC consoles as well as any Active Directory managment windows you might have open; 4. Execute c:\tempsfu\setup.exe (you can delete this file later) 5. Select all the default options - Do not write anything in any of the fields; 6. For the modifications to take place, you must reboot the server. This can be done at the end. In the domain controllers where you want to create users, you must install this software. It adds tabs to the Active Directory that allow the edition and management of unix properties, like User Identification (UID) and Group Identification (GID) of objects like groups, users and machines. After finishing installing the software, it s necessary to specify the Unix Attributes for: Users; Groups; iportalmais AD Schema Update

6 6 Active Directory - LDAP Figure 1.1: Administrators group properties That can be done in AD - Users and Computers. For groups (Figure 1.1) you need to specify this fields: Nis Domain: it s the AD domain (in example: iporatal2003); GID: user identification (group id); More information: GID Domain Users : 513; GID Domain Admin : 512. UID administrator: Only after the definition of Unix Attributes for groups, it s possible to define the Unix Attributes for users, because each user have a Primary Group ID. For users (Figure 1.2) its necessary to specify the following information: AD Schema Update iportalmais

7 1.1 Microsoft Services For Unix 7 Figure 1.2: IPBrick as AD member - Users Nis Domain: it s the AD domain (in example: iporatal2003); UID: user identification (user id); Home Directory: the user directory; Primary Group: the user group; Note: To migrate groups to IPBrick including the users that belong to those groups, it s necessary that: The groups have the Unix Attributes defined; The users members of this groups have the Unix Attributes defined; iportalmais AD Schema Update

8 8 Active Directory - LDAP The users should be added to groups in: User Properties, Member of. 1.2 Active Directory - Schema SNAP-IN To enable working in LDAP schema in AD, you must activate the correct MMC Snap-In. This must be done one time per server as follows: start -> run regsvr32 schmmgmt.dll To access the snap-in, follow the steps: 1. Start -> Run : mmc 2. File -> Add/Remove Snap-in 3. Add 4. Active Directory Schema 5. Add 6. Close 7. Ok 1.3 Windows 2003 Server Support Tools A tool named ADSI Edit will be necessary. ADSI Edit is part of Windows 2003 Server Support Tools. To use this tool you must install Windows 2003 Server Support Tools, and then: 1. press START -> Run : mmc 2. File -> Add/Remove Snap-in 3. Add 4. ADSI Edit 5. Add 6. Close 7. Ok If you want to work locally at the server, you must: 1. Right click at ADSI Edit AD Schema Update iportalmais

9 1.4 AutoFS LDAP Schema 9 2. Select Connect To Then you should check: Connection Point: Domain and/or Configuration Computer: Default or Domain domain.com NOTA: Until the end of this chapter, we ll work with Connection Point checked for Domain or Configuration. 1.4 AutoFS LDAP Schema You must register the schema of Automount service at LDAP Schema Definitions # OID Base is # # Attribute types are under # Object classes are under # Syntaxes are under # Attribute Type Definitions attributetype ( NAME automountinformation DESC Information used by the autofs automounter EQUALITY caseexactia5match SYNTAX SINGLE-VALUE ) objectclass ( NAME automount SUP top STRUCTURAL DESC An entry in an automounter map MUST ( cn $ automountinformation $ objectclass ) MAY ( description ) ) objectclass ( NAME automountmap SUP top STRUCTURAL DESC An group of related automount objects MUST ( ou ) ) AD Schema Registration You can choose one of two procedures to register LDAP schema of automount class of LDAP on AD. One of them is manual and the other is automatic. Only one of this should be executed, never both. These two procedures are now explained. iportalmais AD Schema Update

10 10 Active Directory - LDAP Automatic In this case we ll use the following file auto.ldf: dn: CN=automountInformation,CN=Schema,CN=Configuration,<DOMAIN_BASE_DN> changetype: add objectclass: top objectclass: attributeschema cn: automountinformation distinguishedname: CN=automountInformation,CN=Schema,CN=Configuration,<DOMAIN_BASE_DN> instancetype: 4 attributeid: attributesyntax: issinglevalued: TRUE admindisplayname: automountinformation admindescription: Information used by the autofs automounter omsyntax: 22 ldapdisplayname: automountinformation name: automountinformation objectguid:: bx2hccx+lkkiq28wzfx4da== schemaidguid:: hw1az+cuk0av85ejqryd3a== objectcategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,<DOMAIN_BASE_DN> showinadvancedviewonly: TRUE dn: changetype: modify replace: schemaupdatenow schemaupdatenow: 1 - dn: CN=automount,CN=Schema,CN=Configuration,<DOMAIN_BASE_DN> changetype: add objectclass: top objectclass: classschema cn: automount defaultobjectcategory: CN=automount,CN=Schema,CN=Configuration,<DOMAIN_BASE_DN> governsid: instancetype: 4 objectcategory: CN=Class-Schema,CN=Schema,CN=Configuration,<DOMAIN_BASE_DN> schemaidguid:: beduwpwclu2utzstxwtdvw== subclassof: top mustcontain: automountinformation mustcontain: cn AD Schema Update iportalmais

11 1.4 AutoFS LDAP Schema 11 mustcontain: objectclass maycontain: description rdnattid: cn admindisplayname: automount admindescription: An entry in an automounter map objectclasscategory: 1 ldapdisplayname: automount name: automount posssuperiors: container posssuperiors: organizationalunit showinadvancedviewonly: TRUE objectguid:: 3tsP09E/dEea64uGAcwbsA== systemonly: FALSE defaultsecuritydescriptor: D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY) (A;;RPLCLORC;;;AU) dn: changetype: modify replace: schemaupdatenow schemaupdatenow: 1 - It is necessary to change <DOMAIN_BASE_DN> to the domain you re using. As an example, if you are using a domain named domain.com you should have: DC=domain,DC=com Procedure: 1. At Schema Master Server you must have the permission to update AD schema. To do this you must use the registry editor (Start -> Run -> regedt32 ); 2. Find the following key HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services NTDS Parameters - Schema Update Allowed 3. Edit the variable named (Schema Update Allowed); 4. Click at Binary and change its value to 1. At command prompt you must execute the following command to add LDIF to AD: iportalmais AD Schema Update

12 12 Active Directory - LDAP ldifde -i -k -c CN=Schema,CN=Configuration,DC=domain,DC=com \ CN=Schema,CN=Configuration,DC=domain,DC=com -s localhost \ -f auto.ldf Manual In this case you must enter the Active Directory Schema console and follow these steps: 1. Right click at Attributes and choose Create Attribute; 2. Read the notice and procede; 3. Now you must complete the form (Create New Attribute) with the following values: Common Name: automountinformation LDAP Display Name: automountinformation Unique X500 Object ID: Description: Information used by the autofs automounter Syntax: IA5-String OK 4. Right click at Classes and choose Create Class; 5. Read notice and procede; 6. Complete the form (Create New Schema Class) with the following values: Common Name: automount LDAP Display Name: automount Unique X500 Object ID: Description: An entry in an automounter map Parent Class: top Class Type: Structural Next Mandatory: cn, automountinformation, objectclass Optional: description Finish 7. Right click at Classes and choose Create Class; 8. Read notice and procede; 9. Complete the form (Create New Schema Class) with the following values: AD Schema Update iportalmais

13 1.4 AutoFS LDAP Schema 13 Common Name: automountmap LDAP Display Name: automountmap Unique X500 Object ID: Description: An group of related automount objects Parent Class: top Class Type: Structural Next Mandatory: ou Optional: Finish As the last task, you must: 1. Select Classes and find class named automount; 2. Right click at automount Class and select properties; 3. Tab Relationship; 4. At Possible Superior add: organizationalunit and top 5. OK Organizational Unit The home location of each user is stored in an Organizational Unit (OU). First you must enter ADSI Edit and logon to Domain. Then you should: 1. Rigth click over domain DC=domain,dc=com and choose New Object. 2. Class: organizationalunit 3. Next 4. Value: auto.home 5. Next 6. Finish iportalmais AD Schema Update

14 14 Active Directory - LDAP Anonymous Access Its mandatory to allow anonymous access to LDAP information. This can be done trought ADSI Edit, Configuration. 1. Rigth click over the following entrance and select Properties; CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domain,D 2. Edit the variable named dsheuristics and change the seventh digit to the value 2, as in the following example: 3. OK 4. OK Original Value - Value after edition <Not Set> Then you must configure ACLs at OU=auto.home: 1. ADSI Edit - Domain; 2. Select OU=auto.home and right click; 3. Select Properties and choose Security; 4. Add an entrie with the following information: Add : ANONYMOUS LOGON : Add : Read Advanced Select line ANONYMOUS LOGON and Edit... Alter Apply onto: This object and all child objects OK OK Atention: Anonymous logon permissions should be defined only for OU=auto.home and his sons. AD Schema Update iportalmais

15 Chapter 2 IPBrick 2.1 AD Data An easy way to find the necessary Base DNs is using the ADSI Edit tool refered in 1.3. After connecting to server (refered in 1.3), a window like Figure 2.1 appears and the domain in use is visible (dc=iporatal2003,dc=local). Figure 2.1: ASDI Edit - Domain In Figure 2.2 the users BASE DN is visible. In this case is the username administrador. The BASE DN for that user is: cn=administrador,cn=users,dc=iporatal2003,dc=local and the users BASE DN is cn=users,dc=iporatal2003,dc=local. In groups (Figure 2.2), the BASE DN is cn=builtin,dc=iporatal2003,dc=local. iportalmais AD Schema Update

16 16 IPBrick Figure 2.2: ASDI Edit - Users Figure 2.3: ASDI Edit - Groups 2.2 IPBrick Configuration In IPBrick the configuration should be in agreement to the AD. In the Figure 2.4 example, the junction will be done to a AD with the following AD Schema Update iportalmais

17 2.2 IPBrick Configuration 17 definitions: AD Server IP Adress: Netbios Domain: iporatal2003 Realm: iporatal2003.local Domain Administrator: administrador; Password: (do utilizador anterior); Base DN: dc=iporatal2003,dc=local; Administrator DN: cn=administrador,cn=users,dc=iporatal2003,dc=local; Users search Base DN: cn=users,dc=iporatal2003,dc=local; Groups search Base DN: ou=builtin,dc=iporatal2003,dc=local! Attention: This data must be as the AD configuration. The data present here is just an example. Contact the AD administrator to know the correctly BASE DN s, or you can obtain that in thought information in 2.1. Figure 2.4: IPBrick like AD member To access this configuration, in IPBrick interface, go to Advanced Settings IPBrick Authentication section. iportalmais AD Schema Update