0

Whenever I am trying to create the computer object in Microsoft Active Directory as below:

var ldap = require('ldapjs');

var client = ldap.createClient({
  url: 'ldap://<<host>>:389'
});

client.bind('<<Admin DN>>', '<<password>>', function(err) {
  if(err){
      console.log('error',err);
  }else{
      console.log('bind is success');
  }
});

var newDN = "CN=testcomputeruser,OU=testou,DC=test,DC=com";
var newUser = {
    cn: 'newtestComputer334',
    objectClass: 'computer',
    description: 'This is test implementation hence this is test description.', 
    //System will populate 'netbootInitialization':'TestNetbootInitialization',
    //System will populate 'netbootGUID':'b0ae470c-16bc-4019-b455-8c96ec515f55',
    //System will populate 'netbootMachineFilePath':'TestNetbootMachineFilePath',
    //System will populate 'siteGUID':'1010101011', 
    //System will populate 'netbootSIFFile':'TestnetbootSIFFile',
    //System will populate 'netbootMirrorDataFile':'TestnetbootMirrorDataFile',
    //System will populate 'msDS-AdditionalDnsHostName':'TestmsDS-AdditionalDnsHostName',
    //System will populate 'msDS-AdditionalSamAccountName':'TestmsDS-AdditionalSamAccountName',
    //System will populate 'msDS-ExecuteScriptPassword':'10100111100011100',    
    //System will populate 'netbootDUID':'10100111100011010101',    
  }

client.add(newDN, newUser,function(err, resp) {
    console.log('newDN : ', newDN);
    console.log('newUser : ' ,newUser);
  if(err){
      console.log('error',err);
  }else{
      console.log('new user is success');
      //////////////////////////////////////////
      client.unbind(function(err) {
          if(err){
              console.log('error unbind : ',err);
          }else{
              console.log('unbind is success');
          }
        });
      //////////////////////////////////////////    
  }
})

Here values for the attributes like netbootSIFFile, netbootMirrorDataFile, msDS-AdditionalDnsHostName, msDS-AdditionalSamAccountName, msDS-ExecuteScriptPassword and netbootDUID will be populated by Microsoft Active Directory.

As per the schema we could not find any indicators for the same.

Is there any way to find the system attributes from the Active Directory(LDAP) schema for each object class?

prashanthmadduri
  • 63
  • 7

1 Answers1

0

If you read the class object for Computer in the schema via LDAP (e.g. CN=Computer,CN=Schema,CN=Configuration,DC=test,DC=com), you can read the systemMayContain attribute, which is a list of attributes that "can only be modified by the system."

Or you could just create a computer object, setting the least amount of attributes that it will let you, then read back all the attributes that have values. All the attributes with values that you didn't set are ones that were set by the system.

Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84
  • Thank you for your help. Is there any way to find for systemMayContain attributes for all the object classes available in the Active Directory? – prashanthmadduri Jan 01 '20 at 13:10
  • Yes, just do the same for other classes, like `CN=User,CN=Schema,CN=Configuration,DC=test,DC=com` – Gabriel Luci Jan 01 '20 at 16:05
  • Or perform a search in `CN=Schema,CN=Configuration,DC=test,DC=com` for `(systemMayContain=*)` – Gabriel Luci Jan 01 '20 at 16:06
  • Thank you for your inputs. We could retrieve `systemMayContain` attributes for all the object classes. However the `DN` is taking `CN-Common Name` of the object class which is not available as part of `objectClasses` definition. If we consider `msAuthz-CentralAccessRules` object class. It required `CN=ms-Authz-Central-Access-Rules,CN=Schema,CN=Configuration,DC=ibm,DC=msad,DC=com` DN for class schema search. Is there any way to find the `CN` for the object class retrieved from `objectClasses`? In this case `ms-Authz-Central-Access-Rules` is `CN` for `msAuthz-CentralAccessRules` object class. – prashanthmadduri Jan 03 '20 at 09:13
  • You can search the schema using the `lDAPDisplayName` attribute (that's a lowercase L at the beginning). For example: `(lDAPDisplayName=msAuthz-CentralAccessRules)` – Gabriel Luci Jan 03 '20 at 14:30
  • Many thanks for all your help. Could you please help on this query for same `systemMayContain` attributes https://stackoverflow.com/questions/59611514/finding-system-modifiable-attributes-for-each-object-class-in-microsoft-active-d – prashanthmadduri Jan 06 '20 at 11:44
  • @prashanthmadduri I can't no. Everything I've told you so far I've just learned by poking around at the schema and documentation. I don't really know any more. – Gabriel Luci Jan 06 '20 at 17:05