/Posix-Winsync-Plugin-for-389-directory-server

This Plugin syncs Posix attributes between Directoryserver and MS AD

Primary LanguageShellOtherNOASSERTION

!! Since version 1.2.11 this is integrated in 389 Directory Server !!

WARNING
The source code has developer state. For production environment test it carefully.

This is a winsync plugin for the 389 directory server. The directory server is a fedora project:
http://directory.fedoraproject.org

The Posix Winsync Plugin syncs Posix attributes between 389 DS and MS AD for users and groups, if the attributes are available in one of the tow worlds. For syncing from AD to DS it will add the objectclass posixAccount and ShadowAccount or posixGroup for the ldap entry.
For sync a user or group from DS to AD AD needs a nisdomain name, the nisdomin name I have stored in the upper container of the users and groups, e.g.:
dn: dc=example,dc=dom
nisDomain: example
objectClass: top
objectClass: domain
objectClass: nisdomainobject
dc: example
It can be stored in any container above the user and group container and below the replicated DS subtree.
The MSFU35 and the RFC2307 schema of AD is supported, but must configured in the plugin
user lock/unlock will sync and lock the user on DS with nsmanageddisabledrole.  The code is borrowed from the freeIPA project.
It is also possible to generate memberUid Attributes in Posix Groups corresponding the group members, if the members are Posix Users.
After syncing from AD with a change in group membership, it will schedule a 'Member of Plugin' task, so that users get the memberOf attributes. For that the posix user get the objectclass inetUser

for programming details see: Red_Hat_Directory_Server-8.2-Plug-in_Guide-en-US.pdf on
http://docs.redhat.com

Build

Now the lib will build and install by autotools, see INSTALL for details.

You need the devel-packages with the slapi header files, customize the include paths.

compile:
    gcc -g -fPIC -c \
               -I ../fedora-ds/ds/ldap/servers/slapd  \
               -I ../fedora-ds/ds/ldap/servers/plugins/replication \
               -I /usr/include/mps posix-winsync.c
link:
    ld -G posix-winsync.o -o libposix-winsync.so 

to simplify the process there are configure.ac and Makefile.am files. So you can build:
$ autoconf
$ automake --add-misising
$ ./configure --prefix=/usr --with-nspr-inc=<path to nspr.h> \
              --with-ds-inc=<path to slapi-plugin.h> \
              --with-ds-winsync-inc=<path to winsync-plugin.h>
$ make
$ make install

I have never build this plugin for linux, only for Solaris, but should work on Linux also. 

For Solaris10+ there are packages for the whole 389 Directory Server on http://wiki.opencsw.org/project-389directoryserver. For the plugin only on: http://buildfarm.opencsw.org/experimental.html#389directoryserver

Install

copy the libposix-winsync.so to <ds-base>/lib/dirserv/plugins/
configure the plugin with:

dn: cn=Posix Winsync API,cn=plugins,cn=config
objectclass: top
objectclass: nsSlapdPlugin
objectclass: extensibleObject
cn: Posix Winsync API
nsslapd-pluginpath: libposix-winsync
nsslapd-plugininitfunc: posix_winsync_plugin_init
nsslapd-plugintype: preoperation
nsslapd-pluginenabled: on
nsslapd-plugin-depends-on-type: database
nsslapd-pluginDescription: Sync Posix Attributes for users and groups between AD and DS if available and user lock/unlock
nsslapd-pluginVendor: contac Datentechnik GmbH
nsslapd-pluginId: posix-winsync-plugin
nsslapd-pluginVersion: POSIX/1.0
posixWinsyncMsSFUSchema: false
posixWinsyncMapMemberUID: true
posixWinsyncCreateMemberOfTask: true
posixWinsyncLowerCaseUID: true

there are actually 4 Config attributes:

posixWinsyncMsSFUSchema -- set this true for the old MSFU schema on W2k3 AD's
	default: false

posixWinsyncMapMemberUID -- set this false, if you don't want generate memberUid attributs in posix Groups
	default: true

posixWinsyncCreateMemberOfTask -- create a task for the member of plugin to
	generate the memberOf attributes in a user, if a group membership in
	any user is changed while syncing. The postop-/preop plugins will not
	called through winsync, thats why create a task.
	default: false

posixWinsyncLowerCaseUID: some customers use uppercase letters in samAccount
 	which is mapped to uid. uid should be case insensitve and works on
	Unix/Linux for users, but makes problems with supplementary groups (a least on Solaris)
	so you can set this to true, so that memberUid attributes will convert to lowercase.
	default: false