Welcome to the tdir Home Page


SourceForge.net Logo


tdir uses a configuration file in the famaliar .ini format used in many programs. It has several configurable options, such as which AD server to point at, and various translation options.

A note on regular expressions. This config file has various fields which contain regular expressions. The regular expression engine used is libpcre, so the regular expressions should be perl compatible.

# Comments are allowed. values which are commented out indicate
# default values

listenport = 2389

Configure server paramaters. Currently the only option is which port to listen on

[ad-servers] server = ldaps://herrier.csun.edu server = ldaps://kite.csun.edu connect-timeout = 60

Configure a list of AD servers to try, tdir will pick the first one which responds starting at the beginning of the list. connect-timeout is the amount of time tdir will wait for a server to accept a connection before considering it to be down. This defaults to 60 seconds, because slower machines can take a long time to complete the ssl handshake.

bind-dn = cn=administrator,cn=users,dc=csun,dc=edu
bind-cred = 

Use the following credentials to download the schema from active directory. Note that while most ldapv3 servers allow anonymous to download the schema, active directory does not. This user may need to be a member of schema administrators, I have not fully tested who can and can't get the schema. The dn must be a native active directory dn, no dn translation is applied to this dn.

real-ad-base = dc=csun,dc=edu
imaginary-ad-base = o=csun
# real-ad-rdn = cn
# imaginary-ad-rdn = uid
# note anything with the word match in it is a regular expression
match-special-case = cn=directory manager,o=csun
emit = cn=directory manager,cn=users,dc=csun,dc=edu
match-special-case = cn=rmwd_write,ou=proxies,ou=auth,o=csun
emit = cn=rmwd_write,cn=users,dc=csun,dc=edu

tdir allows you the possibility that your active directory base dn is different from your OpenLDAP base dn. The rdn may be different as well, translation will be applied to the dns before changes are made to active directory. There are many reasons why this might happen. AD only allows cn as the rdn, which is annoying, it also forces you to have a domain component base, which may not be what you want. In our case, we installed an LDAP v3 directory years before AD, and were simply not willing to change our base and rdn. read-ad-base is the real base of your AD server. imaginary-ad-base is the base that tdir will present as the base of your AD server. real-ad-rdn (for 2003 and below only cn will work) is the real rdn which AD users. imaginary-ad-rdn is the rdn which tdir will translate into real-ad-rdn. You are also allowed special cases, any dn matching one of the match-special-case regular expressions will be translated into the value of the emit clause ajacent to the match.

# [mappings]
# match=^mail$
# emit=userPrincipalName

mappings. map attribute names matched by "match" to the attribute name specified by "emit". Note, attribute mapping happens before schema checking. If both attributes are allowed, then both of the attributes will have the same values. If one of the attribues is not in AD's schema, or is listed in "strip" in the "attributes" section then only the allowed attributes will remain intact. Here is an example of mapping the "mail" attribute to the "userPrincipalName" attribute. In this case "userPrincipalName" will be kept in sync with mail (assuming no explicit changes are made to "userPrincipalName")

# [object-types]
# group-join-attr = memberuid
# user-match = person
# group-match = posixgroup
# group-join_type = uid-on-group

How to detect a group vs a user object. tdir does not yet do anything with this section. But we plan to implement group integration with rmwd and posix groups. When we do that, this section will need to provide tdir with enough information to decide whether an object is a user or a group.

# [attributes]
# AD says it requires these, but in truth will not allow
# them to be specified.
# ignore-required = nTSecurityDescriptor
# ignore-required = instanceType

# AD claims that these are multivalued, but in truth it
# will not allow them to have multiple values
# single-value = telephonenumber
# single-value = description
# single-value = facsimiletelephonenumber
# single-value = title
# single-value = postalcode
# single-value = mail

# Remove these attributes from the schema entirely, they
# may conflict with attributes defined by samba. Or may cause
# problems
# strip = rid
# strip = pwdlastset
# strip = homedrive
# strip = primarygroupid
# strip = profilepath
# strip = scriptpath
# strip = userworkstations
# strip = postalcode
# strip = host
# strip = userpassword
# strip = createTimestamp
# strip = creatorsName
# strip = entryCSN
# strip = entryUUID
# strip = modifiersName
# strip = modifyTimestamp
# strip = structuralObjectClass
# strip = subschemaSubentry
# strip = hasSubordinates
# strip = uid

Configure schema alterations. NOTE!! These modifications ONLY effect tdir's LOCAL copy of the AD schema, the schema in active directory will NOT ever be modified by tdir. The reason we need to do this is that AD does not obey its schema. The default modifications change its reported schema to be closer to reality. If you define this section you must at least define all the attributes below, as well as any additional attributes you want to change. ignore-required tells tdir to remove requirements (musts) of the specified attribute from all objectclasses. The default values reflect the fact that objectclass top requires nTSecurityDescriptor, and instanceType, however if you try to specify them the add will always fail. These attributes are generated by AD. single-value marks the target attribute as single-value. Active Directory maintains the standard definition of many attributes in it's schema, which allows them to contain multiple values. However you cannot add multiple values to many attributes, event though the schema says you can. The typical error message when you try to do this is 53 (server unwilling to perform). The default set is by no means comprehensive, but lists some of the common attributes which we have had this problem with. strip, remove all references to the specified attribute from the schema. This includes the attribute definition, and all musts and mays on all objectclasses. We remove attributes for several reasons, some of them are defined outside active directory by the samba project (their old schema), others are simply problematic format wise (postalcode, roomnumber, etc) because AD has a draconian data validator which has nothing to do with the syntax rules defined in the schema, so objects with any of these attributes defined in a standard directory will most likely not replicate to AD because their format is not quite right. It is important to note, if you want to make changes to anything in this section, you MUST uncomment everything, and then add new stuff (or remove something, if you are brave). As soon as you define anything the defaults are overridden.

# default value is empty
password-must-not-match = ^\{[-_A-Z]+\}.*

used to filter out certian values of the userpassword. Especially useful for detecting hashed passwords which may come your way during replication. We can't do anything with hashed passwords, we need clear text.

# default values is ^.*$
dn-must-match = ^.*ou=people,ou=auth,o=csun$
# empty list by default
# dn-must-not-match = 

set criteria for objects which should be replicated. Often you don't want to replicate every change made in OpenLDAP to active directory. This section allows you to filter changes by dn. The dn must match one of the dn-must-match regular expressions AND it must not match ANY of the dn-must-not-match regular expressions.