How to extend AD schema to enable DUAConfigProfile class

  • 69 Views
  • Last Post 4 weeks ago
nidhin_ck posted this 4 weeks ago

P {margin-top:0;margin-bottom:0;}

Hi Experts,


We are trying to extend the schema to include DUAConfigProfile class. This will be used by Unix machine for application  authentication purpose.


Attached is the ldif file for DUAConfigProfile which we got it from http://ldapwiki.com/wiki/DUAConfigProfile.


Could you please let us know the process to upgrade the AD schema to enable this class.


I've seen below article which talks about how to create specific attribute on AD schema. But we dont know the exact syntax value of the attributes mentioned in DUAConfigProfile.ldif file


for eg:- when we create a new attribute, we need to select the appropriate syntax value from drop down list




and the syntax mentioned in the ldif file is as below




Regards,

Nidhin.CK

Order By: Standard | Newest | Votes
Ravi.Sabharanjak posted this 4 weeks ago

I don't think you need this. Starting with 2003r2, AD schema has equivalent objects for RFC 2307, so while the names may be different the attributes are all there.
On Linux, you can map to the attributes in AD using the ldap.conf so that the machine knows where to look for the data it expects. The man page and how to docs would have more info.
Since the article you linked to mentions Solaris, I suspect it might be dated.
-Ravi
On May 28, 2018 6:50 AM, "nidhin ck" <nidhinck@xxxxxxxxxxxxxxxx> wrote:

Hi Experts,


We are trying to extend the schema to include DUAConfigProfile class. This will be used by Unix machine for application  authentication purpose.


Attached is the ldif file for DUAConfigProfile which we got it from http://ldapwiki.com/wiki/DUAConfigProfile.


Could you please let us know the process to upgrade the AD schema to enable this class.


I've seen below article which talks about how to create specific attribute on AD schema. But we dont know the exact syntax value of the attributes mentioned in DUAConfigProfile.ldif file


for eg:- when we create a new attribute, we need to select the appropriate syntax value from drop down list




and the syntax mentioned in the ldif file is as below




Regards,

Nidhin.CK


barkills posted this 4 weeks ago

Hm. Based on some light reading of RFC 4876 & articles referencing this schema, it seems this schema is designed to solve some problem with vendors arbitrarily

implementing RFC2307, such as Microsoft did. So I don’t think your assertion, Ravi, is quite correct.

 

When you are trying to decode an OID, use

www.alvestrand.no. That’ll give you a description (or at least the registered owner) of the OID. For the 5 schema syntaxes referenced, all are listed and they are the syntaxes included in the official LDAPv3 standard.

Unfortunately, Microsoft doesn’t use those official syntaxes. This is one of many details which Microsoft glosses over when it makes claims about LDAP standard compliance. Instead, Microsoft uses different syntaxes which are intended to be close substitutions—in

many cases these are X.500 standard syntaxes. Why Microsoft did this I don’t know, but it probably has something to do with AD history and Exchange 5.5.

 

So, ironically, the whole purpose of the schema you’d like to add may be undermined by Microsoft’s different use of syntaxes. But I’ve never seen an LDAP apps

which cared about that detail, so this is probably not a real issue.

 

Your exercise then becomes figuring out the right Microsoft syntax to use. I think this is a semi-accurate mapping, but you’ll want to double-check my work as

I only spent a few minutes on it.

 

LDAPv3 syntaxes referenced       Human-readable name MS syntax OID

1.3.6.1.4.1.1466.115.121.1.15      Directory String                 2.5.5.12

1.3.6.1.4.1.1466.115.121.1.12      Distinguished Name        2.5.5.1

1.3.6.1.4.1.1466.115.121.1.27      Integer                                 2.5.5.9

1.3.6.1.4.1.1466.115.121.1.7        Boolean                               2.5.5.8

1.3.6.1.4.1.1466.115.121.1.26      IA5 String                             2.5.5.5

 

Finally, you’ll need to do the little bits needed to author your own AD schema. For example, generate schemaIDGUID values, i.e. base64 encoded UUIDs.

 

Good luck!

 

Brian

 

show

Close