Can Directory and Resource Administrator expose new Unix-related attributes introduced in Windows 20 (NETIQKB52674)

  • 7752674
  • 02-Feb-2007
  • 19-Jun-2007

Resolution

goal
Can Directory and Resource Administrator expose new Unix-related attributes introduced in Windows 2003 Release 2?

goal
Are the AD schema extensions added by installing Windows 2003 R2 supported by DRA?

fact
Directory and Resource Administrator 7.5

fact
Directory and Resource Administrator 8.0

fact
Microsoft Windows Server 2003

fix

Yes, Directory and Resource Administrator (DRA) can expose the new Unix related attributes from Windows 2003 R2, but with the caveats described here.

The schema extensions from server 2003 R2 extend the user and group object classes in AD to add new attributes that will hold UNIX specific information such as UID, GID, UNIX home directory, group memberships etc. The DRA user interface can be customized to expose these additional attributes on user and group objects, and rules can be created to control who can change these new attributes. However some of the UNIX information is stored in objects created from objectclasses other than the user, group, contact or OU classes. An example of this is the posixgroup, nisnetgroup, nismap etc which are used to store group, netgroup and nismap entries. For other properties in other classes, we cannot yet handle those directly and to add those to DRA would require them to be added to the DRA accounts provider.

To work around the issue, you can customize the Web console to show the additional properties. Alternatively, you can use an unused property under one of the supported classes, like user class, to store the desired information. For example, you could utilize extensionattribute1 of the user to store  posixgroup property, then you could use the DRA security model to delegate modification of this property. At this point, you would need to have a trigger set up that would look to see if that property was being modified. If it was being modified, the first trigger would need to call another trigger to modify the real posixgroup property in AD. A good example of this is how DRA allows you to set the Send As permission on a user object but does not allow the ability to set the Send As permission on a group.

Professional Services created a trigger for customers where they typed in the comment field of the particular group the account they wanted to give Send As permission to in the format domain\userid. The trigger looks for the comment field being populated and takes the information entered in the comment field and the trigger sets the permissions accordingly. The script is called SetSendAsforGroup.vbs and is on the DRA knowledge depot (https://www.netiq.com/support/dra/extended/knowledgedepot/default.asp). You could use the same kind of logic to set the Unix properties in a trigger.  

Windows Server 2003 R2 introduced the following new attributes in User Properties window under Unix Attributes tab:

  • NIS Domain
  • UID
  • Login Shell
  • Home Directory
  • Primary group name/GID

In DRA 7.5 running on Windows Server 2003 R2 the following attributes can be added using custom User Interface Extension by selecting the following user properties respectively as per RFC 2307:

  • msSFU30NisDomain
  • uidNumber
  • LoginShell
  • unixHomeDirectory
  • gidNumber


note

Example scripts that are provided on NetIQ's Knowledge Depot or referenced in Knowledge Base articles are offered on an "as is" basis, and are not part of the supported product set. Customers should be aware that issues that may arise from their use are not supported by NetIQ Technical Support.



Additional Information

Formerly known as NETIQKB52674