Technical Tip: How to add necessary AD schemas to OpenLDAP for importing Users to the Reveal Platform
| Description | This article describes how to add necessary AD schemas to OpenLDAP for importing Users to the Reveal Platform. |
| Scope | FortiDLP. |
| Solution | The Reveal Platform requires certain attributes to be present to allow for importing of users:
The MS AD specific schemas can be acquired from: https://github.com/dkoudela/active-directory-to-openldap
There are several schemas, but there are three that are of interest:
Copy all three schemas to your schema directory (E.g. /etc/ldap/schema). We then need to make some edits to a couple of files to avoid duplicates of attributes:
In microsoftattributetype.schema:
Comment out- attributetype ( 0.9.2342.19200300.100.1.39 NAME 'homePostalAddress' DESC 'RFC1274: home postal address' EQUALITY caseIgnoreListMatch SUBSTR caseIgnoreListSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
attributetype ( 0.9.2342.19200300.100.1.40 NAME 'personalTitle' DESC 'RFC1274: personal title' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
attributetype ( 0.9.2342.19200300.100.1.22 NAME 'otherMailbox' SYNTAX 1.3.6.1.4.1.1466.115.121.1.39 )
In microsoftobjectclass.schema, add the following to the end of the user object: After mS-DS-CreatorSID, add $ mail $ givenName mS-DS-CreatorSID $ mail $ givenName
In microsoftattributetypestd.schema:
Comment out- attributetype ( 0.9.2342.19200300.100.1.10 NAME 'manager' DESC 'RFC1274: DN of manager' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
attributetype ( 0.9.2342.19200300.100.1.20 NAME ( 'homePhone' 'homeTelephoneNumber' ) SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
attributetype ( 0.9.2342.19200300.100.1.41 NAME ( 'mobile' 'mobileTelephoneNumber' ) SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
attributetype ( 0.9.2342.19200300.100.1.42 NAME ( 'pager' 'pagerTelephoneNumber' ) SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
Once edited and saved, create a new file in tmp directory (vim /tmp/ava.conf), and input the following lines in the following order (ordering is important):
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/openldap.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/microsoftattributetype.schema include /etc/ldap/schema/microsoftattributetypestd.schema include /etc/ldap/schema/microsoftobjectclass.schema Make a directory in /tmp (mkdir -p /tmp/ava.d)
and run the following command:
prompt$> slaptest -f /tmp/ava.conf -F /tmp/ava.d
vim /tmp/ava.d/cn\=config/cn\=schema/cn\=\{6\}microsoftattributetype.ldif
dn: cn=microsoftattributetype,cn=schema,cn=config objectClass: olcSchemaConfigcn: microsoftattributetype vim /tmp/ava.d/cn\=config/cn\=schema/cn\=\{7\}microsoftattributetypestd.ldif
dn: cn=microsoftattributetypestd,cn=schema,cn=config objectClass: olcSchemaConfigcn: microsoftattributetypestd vim /tmp/ava.d/cn\=config/cn\=schema/cn\=\{8\}microsoftobjectclass.ldif
dn: cn=microsoftobjectclass,cn=schema,cn=config objectClass: olcSchemaConfigcn: microsoftobjectclass
structuralObjectClass: entryUUID: creatorsName: createTimestamp: entryCSN: modifiersName: modifyTimestamp:
prompt$> sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/ava.d/cn\=config/cn\=schema/cn\=\{6\}microsoftattributetype.ldif
prompt$> sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/ava.d/cn\=config/cn\=schema/cn\=\{7\}microsoftattributetypestd.ldif
prompt$> sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/ava.d/cn\=config/cn\=schema/cn\=\{8\}microsoftobjectclass.ldif
|