Adding custom Objectclass and Schema to AD LDS

  • 189 Views
  • Last Post 16 August 2016
BrianB posted this 11 August 2016

Having never done this before, I am asking for some guidance.

  I am moving from Oracle LDAP to AD LDS for a specific use case in our new Greenfield environment. This is the time to do it. Our original admins of the system which dates back 20 years ago created a custom Schema objectclass  and schema ldif complete with registered OID’s.   I pulled the custom Schema LDIF from the old Oracle LDAP server and tried to import, thinking that and LDIF is an LDIF. It failed. So I compared an LDIF file from the ADAM directory with that of the LDIF file from ODSEE Schema and the format is much different. Is that to be expected? Is there a way to convert or do I have to write a compatible schema LDIF file for AD LDS? Does Microsoft use a different format the rest of the LDAP world?

  Hoping that someone has an answer and can assist me in this endeavor. I am continuing to research but it appears that not too many people go down this path and have lived to report on it. J   Brian Britt  

Order By: Standard | Newest | Votes
eccoleman posted this 11 August 2016

Brian,

 

FWIW, we always had a hard time with this as well—our schema was coming from IBM’s Tivoli Directory Server. We used to manually reformat the LDIF to make it AD “compliant” (usually just converting NewLine characters,

adding blank lines after the entity breaks, and search/replace the Domain Component (DC=) elements in the Distinguished Name.  But now our schema mods are infrequent one-off cases so we’ve abandoned the reformatting and done it by hand.

 

Today, if we were needing to do a bulk schema extension, I think we would use PowerShell to parse the LDIF and insert the schema into AD.



 

--

Erik Coleman

Senior Manager, Enterprise Systems

Technology Services at Illinois

University of Illinois at Urbana-Champaign

 

 

 

show

joe posted this 11 August 2016

I have done this but it has been a while. However, I created my schema from scratch and based it off of existing AD LDS schema LDIF files for reference, so I didn't have quite the same problem you mention in terms of how to map the "intent" of your original schema to something compatible with AD LDS.
It is possible I could help with this but I'm uncertain. Can you share the LDIF you want to import?
Joe K.


show

BrianB posted this 11 August 2016

Joe,

 

I can share but prefer out of band if possible. I don’t think there is anything secret about the schema but it makes me feel better to do so out of band. You

can email me at briandotbrittatvanderbiltdotedu and I can share. I appreciate the help.

 

Brian Britt

 

show

ZJORZ posted this 11 August 2016

Hi, If you want I can also have a look at it. Mail me the LDIF offline Met vriendelijke groeten / Kind regards, Jorge de Almeida Pinto*: JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx(: +31 (0)6 26.26.62.80 Description: Description: Description: Description: Think Green 

show

BrianB posted this 12 August 2016









Jorge,

Thanks for the help, I will include you as well.

Brian B.

Get Outlook for Android


show

bdesmond posted this 15 August 2016

Creating the LDIF by hand is the “pure” way to do this. I tend to cheat and just spin up a pair of empty AD LDS instances on my PC and create the schema entries with the MMC in one

instance. You can then use AD Schema Analyzer (in c:\windows\adam) and diff the two instances and it will kick out an LDIF file. From there you can use notepad and do some minor tweaking and you’ve got a gold LDIF to carry around.



 



Thanks,

Brian Desmond

 

(w) 312.625.1438 | (c) 312.731.3132



 

show

BrianB posted this 15 August 2016

Brian,

 

That is a great way that I never thought of. So I guess what you are saying is to use the graphical way to create the objectClass and associated attributes and then a diff will create the resulting difference

LDIF file that can then be edited as a changetype ADD | UPDATE | DELETE?

 

 

Brian Britt

 

show

DonH posted this 15 August 2016

Clever!  I approve. Ex-DonH 

show

BrianB posted this 15 August 2016

I just thought about this but wouldn’t the schema replicate to the other instance and then both will be identical? How could there be a diff? Unless you disable outbound replication.



 

Brian Britt

 

show

joe posted this 15 August 2016

I think Brian D. was suggesting to separate, stand-alone AD LDS instances that are not part of any other configuration sets and have no replication partners. AD LDS instances on a local machine a pretty easy to spin up and down and throw away so this should be easy and also painless to repeat if you miss something and need to start over.
Joe K.


show

BrianB posted this 16 August 2016

Yeah, my fault misunderstanding. That make perfect sense, now.



 

Brian Britt.

 

show

bdesmond posted this 16 August 2016

It should already have the right change type entries.



 



Thanks,

Brian Desmond

 

w – 312.625.1438 | c – 312.731.3132



 

show

Close