1

I am trying to add a new attribute named sAMAccountName to an already existing LDAP schema definition which is read by IM-LDAP using UnboundID LDAP SDK.

I have added an attributeTypes entry and sAMAccountName to matchingRuleUse.

attributeTypes: ( 2.5.18.11 NAME 'sAMAccountName' DESC 'MS Sec Principal User' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )

matchingRuleUse: ( 2.5.13.1 NAME 'distinguishedNameMatch' APPLIES ( creatorsName $ ... $ sAMAccountName ) )

For every previously existing attribute a call to com.unboundid.ldap.sdk.schema.Schema.getAttributeType("attrName") returns the attribute type. But not for my new attribute.

What am I missing?

Edited 10/11/18 after @jwilleke comment:

What I am trying to achieve is a mock using IM-LDAP for a very limited functionality of an Active Directory server.

In the actual AD production environment, there are entries representing users with objectClass: person, organizationalPerson,simulatedMicrosoftSecurityPrincipal.

In AD these entries contain sAMAccountName and memberof attributes. But they are not there in the schema that comes with IM-LDAP.

The authentication Java code first performs a search on

(&(objectClass=user)(sAMAccountName=userAccountName)

Then if an entry in found, it checks whether a given security group name is present in the multivalued attribute memberof.

An entry exported from the production AD server looks like this :

dn: cn=Smith\,John,ou=User Accounts,dc=ACME,dc=CORE,dc=INT
changetype: add
objectClass: person
objectClass: organizationalPerson
objectClass: simulatedMicrosoftSecurityPrincipal
cn: Smith,John
sn: JohnS
sAMAccountName: JohnS
userPassword: johnspasswd
memberof: ou=Service Accounts,dc=ACME,dc=CORE,dc=INT

The two new attributes are added to objectClass simulatedMicrosoftSecurityPrincipal in the schema by adding:

objectClasses: ( 2.5.6.24 NAME 'simulatedMicrosoftSecurityPrincipal' DESC 'MSSecurityPrincipal' SUP top AUXILIARY MUST sAMAccountName MAY memberof )

But when I try to import these entries into the LDAP mock I get an error telling me that sAMAccountName and memberof are not defined.

EDIT 2:

attributeTypes: ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )

Wokrked for adding sAMAccountName, but still trying to figure out how to add memeberOf

Here is the complete .ldif file.

Serg M Ten
  • 5,568
  • 4
  • 25
  • 48
  • 1
    You question is ambiguous. Are you trying to add an attribute definition to a server, or trying to add an attribute in an entry on a client application and need the schema definition for it ? – Ludovic Poitou Jan 10 '18 at 08:16
  • I have both server and client. Server is [IM-LDAP](https://github.com/inbloom/ldap-in-memory) Which loads the attached schema on start up. Then I have a client application that must use the attribute sAMAccountName which was not in the schema shipped with IM-LDAP. – Serg M Ten Jan 10 '18 at 09:18
  • 1
    Perhaps you should explain what you are trying accomplish? You will not, unless there is some trick in IM-LDAP, be able to use samAccountName as the userID to perform a login. And samAccountName is NOT suitable for a distinguishedNameMatch matching rule as it is NOT a DN. http://ldapwiki.com/wiki/DistinguishedNameMatch – jwilleke Jan 10 '18 at 10:10
  • I updated the original question with further explanation of what I am trying to achieve. Thanks. – Serg M Ten Jan 10 '18 at 10:38
  • Also found this other [question](https://stackoverflow.com/questions/45725124/openldap-samaccountname-as-custom-attribute) but olcAttributeTypes didn't work for me neither. – Serg M Ten Jan 10 '18 at 12:24

1 Answers1

1

This is what finally worked for me

objectClasses: ( 1.2.840.113556.1.5.6 NAME 'microsoftSecurityPrincipal' DESC 'MS SecurityPrincipal' SUP top AUXILIARY MUST ( sAMAccountName $ memberOf ) )

attributeTypes: ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
attributeTypes: ( 1.2.840.113556.1.2.102 NAME 'memberOf' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
Serg M Ten
  • 5,568
  • 4
  • 25
  • 48
  • You probably want to declare attributeTypes before objectClasses (since the later refer to the former). Still, it is really unclear what was your problem and what you were trying to achieve. – Ludovic Poitou Jan 13 '18 at 08:35