用于在OpenLDAP中创建Active Directory用户和组的LDIF吗? [英] LDIF for creating Active Directory users and groups in OpenLDAP?

问题描述

我有一个使用Active Directory验证用户身份的Web应用程序，并且我试图用OpenLDAP替换AD.

I have a web application that uses Active Directory to authenticate users, and I'm trying to replace AD with OpenLDAP.

文档说，我需要以管理员身份登录域控制器，打开用户管理窗口，单击适当的组织单位，然后将用户ID添加到适当的组(这些组的作用域应为全局"和组类型) 安全").

The documentation says that I need to log on the domain controller as administrator, open the user management window, click on the appropriate organizational unit and add the userids to the proper groups (these groups should have scope "Global" and group type "Security").

我需要在我的OpenLDAP服务器上创建等效项.有人可以为此提供示例LDIF吗?我不知道应该使用的类或属性，也无法访问域控制器.问题最多的项目似乎是组类型和范围，因为它们似乎是二进制值，而不是字符串.

I need to create the equivalent entries on my OpenLDAP server. Can someone provide an example LDIF for this? I don't know the class nor the attributes I should use, and I don't have access to a domain controller. The most problematic items seems to be group type and scope, because they seem to be binary values, not strings.

请注意，我不想完全替换Active Directory-我只需要用户ID和组.我尝试将microsoft.schema添加到OpenLDAP，但是它不起作用.我发现了一些有关修改Microsoft Outlook架构的信息.我需要类似但更简单的东西.

Please note that I don't want to replace Active Directory completely - I just need userids and groups. I've tried adding microsoft.schema to OpenLDAP, but it doesn't work. I've found some information about modifying the schema for Microsoft Outlook; I need something similar but simpler.

推荐答案

将整个ActiveDirectory模式转换为OpenLDAP几乎是不可能的，这非常庞大.但是，我们只能添加所需的属性和类:

It's almost impossible to convert the entire ActiveDirectory schema to OpenLDAP, it's huge. However, we can add only the needed attributes and classes:

attributetype ( 1.2.840.113556.1.4.750 NAME 'groupType' 
   SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE 
)

attributetype ( 1.3.114.7.4.2.0.33 NAME 'memberOf' 
    SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' 
)

objectclass ( 1.2.840.113556.1.5.9 NAME 'user'
        DESC 'a user'
        SUP organizationalPerson STRUCTURAL
        MUST ( cn )
        MAY ( userPassword $ memberOf ) )

objectclass ( 1.2.840.113556.1.5.8 NAME 'group'
        DESC 'a group of users'
        SUP top STRUCTURAL
        MUST ( groupType $ cn )
        MAY ( member ) )

然后很容易创建用于插入用户和组的LDIF文件:

Then it's easy to create an LDIF file for inserting the users and groups:

dn: dc=myCompany
objectClass: top
objectClass: dcObject
objectClass: organization
dc: myCompany
o: LocalBranch

dn: ou=People,dc=myCompany
objectClass: top
objectClass: organizationalUnit
ou: People
description: Test database

dn: cn=Users,dc=myCompany
objectClass: groupOfNames
objectClass: top
cn: Users
member: cn=Manager,cn=Users,dc=myCompany

dn: cn=Manager,cn=Users,dc=myCompany
objectClass: person
objectClass: top
cn: Manager
sn: Manager
userPassword:: e1NIQX1tc0lKSXJCVU1XdmlPRUtsdktmV255bjJuWGM9

dn: cn=ReadWrite,ou=People,dc=myCompany
objectClass: group
objectClass: top
cn: ReadWrite
groupType: 2147483650
member: cn=sysconf,ou=People,dc=myCompany

dn: cn=sysopr,ou=People,dc=myCompany
objectClass: user
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: sysopr
sn: team
memberOf: cn=ReadOnly,ou=People,dc=myCompany
userPassword:: e1NIQX1jUkR0cE5DZUJpcWw1S09Rc0tWeXJBMHNBaUE9

这篇关于用于在OpenLDAP中创建Active Directory用户和组的LDIF吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！