Extending the AD Schema on Samba4 - Part 1

My last post on Samba4 showed how easy it is to install and configure an AD Service on Linux.  If you've not read it then please have a look. (http://david-latham.blogspot.co.nz/2012/12/samba4-ga-release-virtualbox-lab.html)

This post show's how to extend the Samba4 Active Directory Schema.  Specifically for YubiKey integration.

YubiKey's can be purchased for a relativlely low price from Yubico.  Please visit their website (www.yubico.com) for more information.

LDAP Integration is very well covered by Michal Ludvig on his website and github.  (http://www.logix.cz/michal/devel/yubikey-ldap/) In fact we are planning to leverage his implementation at our work and are considering donating towards what's obviously a very good cause.

Now seeing as though LDAP and AD are so similar and exhibit many of the same APIs, I began to wonder how this might fit in with Samba4.  Eventually we might end up using Samba4 for our domain and so I needed to figure out if I could, somehow, "port" the LDAP Schemas for Yubikey to AD.  I think I have managed it with extensive help from another blog.   Thanks to Kurt Hudson and his wonderful article on www.informit.com titled, "Making AD Work Harder | Extending the Active Directory Schema to Track Custom Info"

I should also acknowledge, once again, the Samba Wiki for a crucial piece of the puzzle in which we allow extensions to the Schema. (https://wiki.samba.org/index.php/Samba4/Schema_extenstions)

Step 1: Backup Your Master Server

In my case this was fairly simple.  I just took a snapshot of my Virtualbox image.  You need to do this though.  Messing with an AD schema can be fairly dangerous, especially if it's a Samba4 AD.  Samba's Wiki makes this quite clear.

Step 2: Enable Schema Extensions

This is fairly straight forward and well explained on the Samba Wiki.  First edit your smb.conf and add the following line into the [globals] section.
dsdb:schema update allowed = true
Then restart the samba service.. (btw: If you are interested in an init script for Samba4 on Centos 6 then find it at the end of this article.)

Step 3: Set up Active Directory Schema Console (on Windows)

From here on, we will be working in Windows space.  The Active Directory Schema console is not registered by default.  So register it and create yourself a console.

In a windows command prompt type:
regsvr32 schmmgmt.dll

Then use MMC -> Add Remove Snap-ins ->  Active Directory Schema snap-in. (follow the instructions on Kurt Hudson's page.

Step 4: Add Yubikey Class and Attribute

You need an attribute before you can create an object class.
The details for the Yubikey schema are available on Michal Ludvig's github site: https://raw.github.com/mludvig/yubikey-ldap/master/ldap-schema/yubikey-SunDS.ldif
The SunDS describes most closely the AD Version used in this article:
Here it is:

dn: cn=schema
objectclass: top
#
# YubiKey LDAP schema for Sun Directory Server and OpenDJ
#
# Copy this file to /config/schema/05-yubikey.ldif
#
# Author: Michal Ludvig 
# Consider a small PayPal donation:
#         http://logix.cz/michal/devel/yubikey-ldap/
#
# Converted for OpenDJ and Sun Directory Server by
#         Ludovic Poitou 
#
attributeTypes: ( 1.3.6.1.4.1.40789.2012.11.1.2.1.1
  NAME 'yubiKeyId'
  DESC 'Yubico YubiKey ID'
  EQUALITY caseIgnoreIA5Match
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
objectClasses: ( 1.3.6.1.4.1.40789.2012.11.1.2.2.1
  NAME 'yubiKeyUser'
  DESC 'Yubico YubiKey User'
  SUP top
  AUXILIARY
  MAY ( yubiKeyId ) )

Step 4a: Attribute

In the Active Directory Schema Snap-in Console do the following:
  • Right click the Attributes Node and select Create Attribute on the context menu.  A message about the permanence of your operation will show up.  Well, jump right in.  You backed up in step 1.
  • Fill in the details as follows:
    • Common Name = yubiKeyId
    • LDAP Display Name = yubiKeyId
    • Unique X500 Object ID:  = 1.3.6.1.4.1.40789.2012.11.1.2.1.1
    • Description = Yubico YubiKey User
    • Syntax = Case Insensitive String
    • Minimum = 0
    • Maximum = 128
    • Multi Valued = Ticked
  • Click OK to add the attribute to the Attributes list.  If you expand the list, and scroll to the bottom, you will find yubiKeyId and you can right click, select properties and see something like this:
Note, I ticked "multi valued" but in the part where I create a dialogue box to enter the key id's I do not allow for multiple values.  That's on my TO DO List.

Step 4b: Add Yubikey Schema Object Class

  • Begin by right mouse clicking Classes and select Create Class in the context menu.
  • Fill in the details as follows:
    • Common Name: yubiKeyUser
    • LDAP Display Name: yubiKeyUser
    • Unique X500 Object ID:  1.3.6.1.4.1.40789.2012.11.1.2.2.1
    • Description: Yubico YubiKey User
    • Parent Class: top
    • Class Type: Select Auxilary
  • Click Next
    • Click Add next to Opional:
    • Scroll all the way to the bottom and select yubiKeyId
    • Click OK
    • Click Finish
  • Expand the Classes node, scroll to the bottom and right click yubiKeyUser, select Properties to see the following:
 

 

 

So that's the GUI method.
My next post will show how to import ldif files to make this process easier.
Read part 2 here: http://david-latham.blogspot.co.nz/2012/12/extending-ad-schema-on-samba4-part-2.html

Location: Auckland, New Zealand

Comments

Post a Comment

Popular posts from this blog

Automatically mount NVME volumes in AWS EC2 on Windows with Cloudformation and Powershell Userdata

Introduction This post explains how I go about with AWS Cloudformation and Powershell userdata scripts. attaching EBS volumes to Windows EC2 instances identifying them in the OS initializing them formatting them and assigning labels and drive letters. Prerequisites You should know something about Cloudformation and Powershell. The AWS Image you use for your EC2 instance should be one provided by AWS and should have the following utility already deployed to  C:\ProgramData\Amazon\Tools\ebsnvme-id.exe AWS Cloudformation Step I typically do not declare EBS Volumes together with the EC2 Instance declaration in Cloudformation but prefer to declare them as separate resources along with their own ebs attachment resources.  Here is an example EC2 instance with three additional volume declarations on top of the root volume which is automatically mounted on C:\ WindowsServerInstance: Type: AWS::EC2::Instance Properties: BlockDeviceMappings: - DeviceName: /dev/sda1
Read more

Extending the AD Schema on Samba4 - Part 2

Importing LDIF files into Samba4 and Active Directory This is part 2 of the Extending AD Schema on Samba4 series.  The examples below are tested using the Samba4 LAB I created.  If you want more information on how that works then please read  http://david-latham.blogspot.co.nz/2012/12/samba4-ga-release-virtualbox-lab.html For part one, please read http://david-latham.blogspot.co.nz/2012/12/extending-ad-schema-on-samba4.html Unfortunately the format of an ldif file for creating new attributes and classes in the Schema Configuration are differ between Samba4 and Microsoft. The tools are slightly different too.  So this article will attempt to make it all clear. Find all the latest versions of code on this post at  https://github.com/linuxplayground/yubikey-ldap/tree/master/microsoft-schema Samba4 - ldbadd & ldbmodify As far as I can tell the only way to create a new class with a custom attribute in Samba4 (on the Linux command line) is first add the attribute with ldbad
Read more

Python + inotify = Pyinotify [ how to watch folders for file activity ]

Sometimes it just might be handy to be able to watch a folder on a hard disk for changes. For example: A client app might drop small files on a shared folder. A server app might be watching the folder for just such an event. Once the file is created, the server will kick into action and perform whatever tasks are required. This all comes from my CD burning application. I am currently thinking that the client apps will drop small xml files containing information about what to burn onto a folder the webserver has access to and the cdburner service will be watching... The linux kernel provides inotify. This from wikipedia : notify is a Linux kernel subsystem that provides file system event notification. It was written by John McCutchan with help from Robert Love and later Amy Griffis to replace dnotify . It was included in the mainline kernel from release 2.6.13 (2005-06-18), and could be compiled into 2.6.12 and possibly earlier releases by use of a patch . Its function is essen
Read more