Import attribute/object definitions to Active Directory (AD LDS)

Question

Currently I'm using OpenDS and have to migrate to Active Directory (AD LDS).

I have a few custom attributes/objects that are defined in .ldif files in the OpenDS/config/schema directory like this:

attributeTypes: ( 1.3.6.1.4.1.99.1
  NAME 'myNewAttribute'
  DESC 'some text'
  EQUALITY caseIgnoreMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  SINGLE-VALUE
  )

objectClasses: ( 1.3.6.1.4.1.99.2
  NAME 'myNewClass'
  SUP top STRUCTURAL
  MUST ( person $ myNewAttribute )
  MAY someOtherAttribute
  )

Unfortunately ldifde does not understand this format, so I used ADSI Edit to import my definitions manually one by one (cumbersome!) - but encountered some problems:

• It seems AD supports only a handful of different SYNTAX definitions, like 2.5.5.12. How can I map something like 1.3.6.1.4.1.1466.115.121.1.15 to AD?

• oMSyntax: Seems to be AD specific and not known to the rest of the LDAP world. oMSyntax in combination with attributeSyntax seems to define the data type in the AD world.

• things like EQUALITY seem to be missing completely in AD! How to deal with this?

Question: Is there a tool to convert an LDIF file with attribute/object definitions to a format that is understood by MS / AD / ldifde?

Or a more general question: What is the best practice to migrate attribute/object definitions from OpenDS, OpenLDAP, etc. to the Microsoft world?

Answer 1

Welcome to the Diretories compatibility world. First of all the following syntax :

attributeTypes: ( 1.3.6.1.4.1.99.1
  NAME 'myNewAttribute'
  DESC 'some text'
  EQUALITY caseIgnoreMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  SINGLE-VALUE
  )

is not an LDIF syntax. it's a syntax used in Netscape like Directories to specify the Schema (OpenLDAP, Ex Sun directory service etc.). As far as you want to introduce new attributes and classes in Active Directory, you can do it using one of these 3 ways :

• Manualy using the common ADSIEDIT.MSC (I never do it like that) :

• Manualy using the specific Active Directory Scema Editor MMC (Microsoft Management Console)

This is the way I use in the development phase.

MMC.EXE -> File -> Open Component -> Active Directory Schema

If you are using an old server this MMC is only available recording an Active X component :

Regsvr32 c:\windows\system32\schmmgmt.msc

This way is much easier, it's the way I use on a development VM to create my attributes, I Then export the LDIF description with LDIFDE.EXE tool in order to clean it (remove system attributes) and import it on the production servers.

• Programaticaly using LDIF

Here is an example of the LDIF syntax of an attribute

dn: CN=SlxChapitres,CN=Schema,CN=Configuration,DC=XXXX
changetype: add
objectClass: top
objectClass: attributeSchema
cn: SlxChapitres
distinguishedName: CN=SlxChapitres,CN=Schema,CN=Configuration,DC=XXXX
instanceType: 4
attributeID: 1.3.6.1.4.1.10558.2.1.6
attributeSyntax: 2.5.5.4
isSingleValued: FALSE
showInAdvancedViewOnly: TRUE
adminDisplayName: SlxChapitres
oMSyntax: 20
lDAPDisplayName: SlxChapitres
name: SlxChapitres
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=XXXX

This code is LDIF, I can inject it using LDIDE.EXE program the DC=XXXX syntax allowing me to use the -c DNSrc DNTarget of the LDIFFDE.EXE program option to locate it to the right DN.

• As far as the Syntax and the matching rules are concerned, In my opinion Active-Directory is not so standard. Microsoft use a kind of combination between these to concepts to give one thing they call Syntax. Whenever you create a new attribute, you must specify its syntax. To uniquely identify the syntax among the total set of 21 syntaxes, you must specify 2 pieces of information: the OID of the syntax and a so-called OM syntax. This pair of values must be set together and correctly correlate with Mictosoft documention.