How to add an attribute to an LDAP schema - active-directory

I am trying to add a new attribute named sAMAccountName to an already existing LDAP schema definition which is read by IM-LDAP using UnboundID LDAP SDK.
I have added an attributeTypes entry and sAMAccountName to matchingRuleUse.
attributeTypes: ( 2.5.18.11 NAME 'sAMAccountName' DESC 'MS Sec Principal User' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
matchingRuleUse: ( 2.5.13.1 NAME 'distinguishedNameMatch' APPLIES ( creatorsName $ ... $ sAMAccountName ) )
For every previously existing attribute a call to com.unboundid.ldap.sdk.schema.Schema.getAttributeType("attrName") returns the attribute type. But not for my new attribute.
What am I missing?
Edited 10/11/18 after #jwilleke comment:
What I am trying to achieve is a mock using IM-LDAP for a very limited functionality of an Active Directory server.
In the actual AD production environment, there are entries representing users with objectClass: person, organizationalPerson,simulatedMicrosoftSecurityPrincipal.
In AD these entries contain sAMAccountName and memberof attributes.
But they are not there in the schema that comes with IM-LDAP.
The authentication Java code first performs a search on
(&(objectClass=user)(sAMAccountName=userAccountName)
Then if an entry in found, it checks whether a given security group name is present in the multivalued attribute memberof.
An entry exported from the production AD server looks like this :
dn: cn=Smith\,John,ou=User Accounts,dc=ACME,dc=CORE,dc=INT
changetype: add
objectClass: person
objectClass: organizationalPerson
objectClass: simulatedMicrosoftSecurityPrincipal
cn: Smith,John
sn: JohnS
sAMAccountName: JohnS
userPassword: johnspasswd
memberof: ou=Service Accounts,dc=ACME,dc=CORE,dc=INT
The two new attributes are added to objectClass simulatedMicrosoftSecurityPrincipal in the schema by adding:
objectClasses: ( 2.5.6.24 NAME 'simulatedMicrosoftSecurityPrincipal' DESC 'MSSecurityPrincipal' SUP top AUXILIARY MUST sAMAccountName MAY memberof )
But when I try to import these entries into the LDAP mock I get an error telling me that sAMAccountName and memberof are not defined.
EDIT 2:
attributeTypes: ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
Wokrked for adding sAMAccountName, but still trying to figure out how to add memeberOf
Here is the complete .ldif file.

This is what finally worked for me
objectClasses: ( 1.2.840.113556.1.5.6 NAME 'microsoftSecurityPrincipal' DESC 'MS SecurityPrincipal' SUP top AUXILIARY MUST ( sAMAccountName $ memberOf ) )
attributeTypes: ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
attributeTypes: ( 1.2.840.113556.1.2.102 NAME 'memberOf' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )

Related

LDAP query to get account name from SID

So I have a SID of a FSP: S-1-5-21-2127521184-1604012920-1887927527-72713.
Translation worked in powershell but I would like to do the ldap query by myself, like here but have a little trouble with proper SID conversion.
Could you help me with query that give me a corresponding account name based on SID ?
You can bind directly to an object using the SID using LDAP://<SID=S-1-5-21-2127521184-1604012920-1887927527-72713>. Then get the username after that.
In PowerShell, it would look something like:
$account = [adsi]"LDAP://<SID=S-1-5-21-2127521184-1604012920-1887927527-72713>"
$username = $account.Properties["sAMAccountName"]
If the computer you run this from is on a different domain than the account, you may have to specify the domain:
$account = [adsi]"LDAP://domain.com/<SID=S-1-5-21-2127521184-1604012920-1887927527-72713>"
If you have Java available you can query the ObjectSID directly.
We show an Example with code
I am able to use an ldapsearch like:
ldapsearch -h example.net -D "EXAMPLE\myID" -b "OU=Accounts,DC=EXAMPLE,DC=NET" -s sub -a search -z 1000 "(ObjectSID=S-1-5-21-333675845-1535931152-1111140340-22234762)" "objectClass"
And get results.
# extended LDIF
# LDAPv3
# base <OU=Accounts,DC=EXAMPLE,DC=NET> with scope subtree
# filter: (ObjectSID=S-1-5-21-333675845-1535931152-1111140340-22234762)
# requesting: objectClass samAccountName
#
# userid, sales, Accounts, EXAMPLE.NET
dn: CN=userid,OU=sales,OU=Accounts,DC=EXAMPLE,DC=NET
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
sAMAccountName: userid
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
This search is done from a Linux machine and done by a user that is not represented by the ObjectSID.

Cannot get list of groups users in AD - memberOf function not working

This query works fine:
(&(objectCategory=user)(objectClass=user)(memberOf=*) )
but any ever, with selection of group - with no result
(&(objectCategory=user)(objectClass=user)(memberOf=myGroup) )
(&(objectCategory=user)(objectClass=user)(memberOf=CN=myGroup) )
(&(objectCategory=user)(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=myGroup) )
It's because memberof attribute stores dn values, so you have to provide a dn in the filter.
And by dn I mean a full dn all the way to the root of the ldap directory tree.
If your group : CN=myGroup is in the branch ou=groups and the baseDn of your directory is dc=local,dc=com, you have to specify a filter like :
memberof=CN=myGroup,ou=groups,dc=local,dc=com

Different Permissions in Apache Shiro for every User?

I built a database with the entity user and permission
user (id, email, password, permission)
permission (id, create_user, delete_user, user_fk)
create_user and delete_user is BOOLEAN.
Relationship: One-One
Now every user can have it's own permissions.
My question is: How can I use shiro to read the permissions from the database?
If you really only wish to assign permissions on user level, you can "fake" the roles table to make Shiro happy.
As Wouter mentioned, use the JdbcRealm and specify the 3 queries for your table setup.
You should modify your permission table to have this structure:
permission (id, permissionname, user_fk)
Then you insert rows for the create_user/delete_user rights as needed.
This way it's very simple to add another permission (reset_password for example) to your setup, without the need to modify the db schema.
In the shiro.ini (or how you call the your shiro config file):
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
For the queries use then this:
jdbcRealm.authenticationQuery = select password from user where email=?
jdbcRealm.userRolesQuery = select id from user where email=?
jdbcRealm.authenticationQuery = select permissionname from permission where user_fk=?
The small trick in your setup is: you don't have roles at all, so we just return the id of the user as the role name.
When the lookup in the permission table is done, it then uses the role name (=user pk) and returns the associated permissions.
You should configure a JdbcReam in your .ini file:
jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm
If you change your schema to adhere to the shiro queries, no extra config is needed. You need tables users, user_roles and roles_permissions.
See the source code how the exact column names should be:
https://svn.apache.org/repos/asf/shiro/trunk/core/src/main/java/org/apache/shiro/realm/jdbc/JdbcRealm.java
Alternatively you can configure your own queries to match your schema in the .ini file like so:
jdbcRealm.authenticationQuery=<your password select statement>
jdbcRealm.userRolesQuery=<your role names for username select statement>
jdbcRealm.authenticationQuery=<your permissions for role name select statement>

LDIF for creating Active Directory users and groups in OpenLDAP?

I have a web application that uses Active Directory to authenticate users, and I'm trying to replace AD with OpenLDAP.
The documentation says that I need to log on the domain controller as administrator, open the user management window, click on the appropriate organizational unit and add the userids to the proper groups (these groups should have scope "Global" and group type "Security").
I need to create the equivalent entries on my OpenLDAP server. Can someone provide an example LDIF for this? I don't know the class nor the attributes I should use, and I don't have access to a domain controller. The most problematic items seems to be group type and scope, because they seem to be binary values, not strings.
Please note that I don't want to replace Active Directory completely - I just need userids and groups. I've tried adding microsoft.schema to OpenLDAP, but it doesn't work. I've found some information about modifying the schema for Microsoft Outlook; I need something similar but simpler.
It's almost impossible to convert the entire ActiveDirectory schema to OpenLDAP, it's huge. However, we can add only the needed attributes and classes:
attributetype ( 1.2.840.113556.1.4.750 NAME 'groupType'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE
)
attributetype ( 1.3.114.7.4.2.0.33 NAME 'memberOf'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.26'
)
objectclass ( 1.2.840.113556.1.5.9 NAME 'user'
DESC 'a user'
SUP organizationalPerson STRUCTURAL
MUST ( cn )
MAY ( userPassword $ memberOf ) )
objectclass ( 1.2.840.113556.1.5.8 NAME 'group'
DESC 'a group of users'
SUP top STRUCTURAL
MUST ( groupType $ cn )
MAY ( member ) )
Then it's easy to create an LDIF file for inserting the users and groups:
dn: dc=myCompany
objectClass: top
objectClass: dcObject
objectClass: organization
dc: myCompany
o: LocalBranch
dn: ou=People,dc=myCompany
objectClass: top
objectClass: organizationalUnit
ou: People
description: Test database
dn: cn=Users,dc=myCompany
objectClass: groupOfNames
objectClass: top
cn: Users
member: cn=Manager,cn=Users,dc=myCompany
dn: cn=Manager,cn=Users,dc=myCompany
objectClass: person
objectClass: top
cn: Manager
sn: Manager
userPassword:: e1NIQX1tc0lKSXJCVU1XdmlPRUtsdktmV255bjJuWGM9
dn: cn=ReadWrite,ou=People,dc=myCompany
objectClass: group
objectClass: top
cn: ReadWrite
groupType: 2147483650
member: cn=sysconf,ou=People,dc=myCompany
dn: cn=sysopr,ou=People,dc=myCompany
objectClass: user
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: sysopr
sn: team
memberOf: cn=ReadOnly,ou=People,dc=myCompany
userPassword:: e1NIQX1jUkR0cE5DZUJpcWw1S09Rc0tWeXJBMHNBaUE9
Ok, here is the begining of an answer :
Once you installed your OPENLdap
A - Edit your slapd.conf to :
1) Modify the schemas included
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetperson.schema
2) Modifiy schema files as explained in this FAQ
3) Modify your naming context (personaly I'am using HDB as backend)
database hdb
suffix "dc=dom,dc=com"
rootdn "cn=Manager,dc=dom,dc=com"
rootpw secret
directory /usr/local/var/openldap-hdb
4) Then restart your directory
B - Insert your root
Here is the LDIF file (root.ldif)
dn: dc=dom,dc=com
objectclass: dcObject
objectclass: organization
o: Company name
dc: dom
Here is the command line
ldapadd –x –D "cn=Manager,dc=dom,dc=com" -W –f root.ldif
C - Insert a user
Here is the LDIF file (user.ldif)
dn: cn=user1,dc=dom,dc=com
objectClass: inetOrgPerson
sn: users
cn: user1
telephoneNumber: 9999
Here is the command line
ldapadd –x –D "cn=Manager,dc=dom,dc=com" -W –f user.ldif
D - An advice
Apache directory studio, is for me, a VERY good LDAP Browser, it's Open Source, it works on the top of java on Linux and Windows. Using it you can graphicaly browse AD and OpenLdap and do parts B and C just clicking.
Active-Directory Schema (Classes and attributes) are documented in the MSDN. For example here are the information about groupType. Is it what you expect?

Finding a user's manager record in Active Directory

Using Active Directory, am trying to find the SamAccountName and email of the user’s manager.
I find the logged on user in the AD by search where sAMAccountName = Domain\Account. I then retrieve the manager property, which looks like this, for example:
CN=Doe\, Jane E.,OU=Employees,OU=Users,OU=Detroit,OU=United States,DC=na,DC=gmc,DC=gmc,DC=com"
How can I use this presumed key to find the user record for this person? What field would I match on?
If I remember correctly, that is their Distinguished Name, which means you can use it as the direct reference to their profile
LDAP://CN=Doe, Jane E.,OU=Employees,OU=Users,OU=Detroit,OU=United States,DC=na,DC=gmc,DC=gmc,DC=com
I also think it will return that name if the profile exists. If it has been deleted then I believe it runs a GUID of some sort (based on memory - this might be incorrect)
The entry for the manager is the manager's Binding String. You can feed it back into a request to active directory by binding it to an object that will return the manager's information.
(This is a post from old time, but I thought might be useful for others in the community)
You can use string stripping and find it like this:
REPLACE(SUBSTRING(manager, 4, CHARINDEX('OU=', manager)-5), '\', '')
Full working query (just change DOMAIN to your own):
SELECT Top 901 manager, REPLACE(SUBSTRING(manager, 4, CHARINDEX('OU=',
manager)-5), '\', '')
FROM OPENQUERY( ADSI, 'SELECT manager FROM ''LDAP://DC=DOMAIN,DC=local''
WHERE objectCategory = ''Person'' AND objectClass= ''user''
AND userprincipalname = ''*'' AND mail = ''*'' AND SN = ''*'' ')

Resources