The Reveal Platform requires certain attributes to be present in order to allow for importing of users:

  • sAMAccountName
  • objectSID
  • UserPrincipalName

 

OpenLDAP does not contain the necessary schemas by default to accomplish this. This article describes the steps necessary to add the necessary schemas.

 

The MS AD specific schemas can be acquired from:

https://github.com/dkoudela/active-directory-to-openldap

 

There are a number of schemas, but there are three that are of interest:

  • microsoftobjectclass.schema

  • microsoftattributetypestd.schema

  • microsoftattributetype.schema

 

Copy all three schemas to your schema directory (E.g. /etc/ldap/schema). We then need to make some edits to a couple of files to avoid duplicates of attributes:

 

In microsoftattributetype.schema:

Comment out-

attributetype ( 0.9.2342.19200300.100.1.39 NAME 'homePostalAddress'
DESC 'RFC1274: home postal address'
EQUALITY caseIgnoreListMatch
SUBSTR caseIgnoreListSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )

attributetype ( 0.9.2342.19200300.100.1.40 NAME 'personalTitle'
DESC 'RFC1274: personal title'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )

attributetype ( 0.9.2342.19200300.100.1.22 NAME 'otherMailbox'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.39 )

 

In microsoftobjectclass.schema, add the following to the end of the user object:

After mS-DS-CreatorSID, add  $ mail $ givenName

mS-DS-CreatorSID $ mail $ givenName

 

In microsoftattributetypestd.schema:

Comment out-

attributetype ( 0.9.2342.19200300.100.1.10 NAME 'manager'
DESC 'RFC1274: DN of manager'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )

attributetype ( 0.9.2342.19200300.100.1.20
NAME ( 'homePhone' 'homeTelephoneNumber' )
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE )

attributetype ( 0.9.2342.19200300.100.1.41
NAME ( 'mobile' 'mobileTelephoneNumber' )
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE )

attributetype ( 0.9.2342.19200300.100.1.42
NAME ( 'pager' 'pagerTelephoneNumber' )
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE )

 

Once edited and saved, create a new file in tmp directory (vim /tmp/ava.conf), and input the following lines in the following order (ordering is important):

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/microsoftattributetype.schema
include /etc/ldap/schema/microsoftattributetypestd.schema
include /etc/ldap/schema/microsoftobjectclass.schema

Make a directory in /tmp (mkdir -p /tmp/ava.d)

and run the following command

prompt$> slaptest -f /tmp/ava.conf -F /tmp/ava.d

This command should return "config file testing succeeded"

You'll then need to make minor edits to the generated files:

vim /tmp/ava.d/cn\=config/cn\=schema/cn\=\{6\}microsoftattributetype.ldif

The top 3 uncommented lines should be:

dn: cn=microsoftattributetype,cn=schema,cn=config

objectClass: olcSchemaConfig

cn: microsoftattributetype

 

 

vim /tmp/ava.d/cn\=config/cn\=schema/cn\=\{7\}microsoftattributetypestd.ldif

 

The top 3 uncommented lines should be:

dn: cn=microsoftattributetypestd,cn=schema,cn=config

objectClass: olcSchemaConfig

cn: microsoftattributetypestd

 

 

 

vim /tmp/ava.d/cn\=config/cn\=schema/cn\=\{8\}microsoftobjectclass.ldif

 

The top 3 uncommented lines should be:

dn: cn=microsoftobjectclass,cn=schema,cn=config

objectClass: olcSchemaConfig

cn: microsoftobjectclass

 

And delete the following lines from bottom of each file:

structuralObjectClass:

entryUUID:

creatorsName:

createTimestamp:

entryCSN:

modifiersName:

modifyTimestamp:

Last Step, adding to LDAP configuration:

prompt$> sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/ava.d/cn\=config/cn\=schema/cn\=\{6\}microsoftattributetype.ldif

prompt$> sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/ava.d/cn\=config/cn\=schema/cn\=\{7\}microsoftattributetypestd.ldif

prompt$> sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/ava.d/cn\=config/cn\=schema/cn\=\{8\}microsoftobjectclass.ldif

 

Note: Using ldapi:///, make sure you do not have this commented in /etc/ldap/ldap.conf