*****LDAP schema changes*****
authorGerald Carter <jerry@samba.org>
Wed, 14 May 2003 03:32:20 +0000 (03:32 +0000)
committerGerald Carter <jerry@samba.org>
Wed, 14 May 2003 03:32:20 +0000 (03:32 +0000)
New objectclass named sambaSamAccount which uses attribute
prefaced with the phrase 'samba' to prevent future name clashes.

Change in functionality of the 'ldap filter' parameter.  This always
defaults to "(uid=%u)" now and is and'd with the approriate objectclass
depending on whether you are using ldapsam_compat or ldapsam

conversion script for migrating from sambaAccount to
sambaSamAccount will come next.
(This used to be commit 998586e65271daa919e47e1206c0007454cbca66)

examples/LDAP/samba.schema
source3/lib/snprintf.c
source3/param/loadparm.c
source3/passdb/pdb_ldap.c
source3/sam/idmap_tdb.c

index 3a620b9a59beb6a761fcb2d4bf3edc8e0a32e01d..6ef89806139b45aaa2739a44cffcbe74e07dfad9 100644 (file)
 ## 1.3.6.1.4.1.7165.2.2.x - objectclasses
 ##
 
 ## 1.3.6.1.4.1.7165.2.2.x - objectclasses
 ##
 
+#######################################################################
+##                Attributes used by Samba 2.2 schema                ##
+#######################################################################
+
 ##
 ## Password hashes
 ##
 ##
 ## Password hashes
 ##
@@ -110,11 +114,104 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.15 NAME 'primaryGroupID'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
 
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
 
+       
+#######################################################################
+##                Attributes used by Samba 3.0 schema                ##
+#######################################################################
+
+##
+## Password hashes
+##
+attributetype ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword'
+       DESC 'LanManager Passwd'
+       EQUALITY caseIgnoreIA5Match
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword'
+       DESC 'NT Passwd'
+       EQUALITY caseIgnoreIA5Match
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
+
+##
+## Account flags in string format ([UWDX     ])
+##
+attributetype ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags'
+       DESC 'Account Flags'
+       EQUALITY caseIgnoreIA5Match
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE )
+
+## 
+## Password timestamps & policies
+##
+attributetype ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet'
+       DESC 'NT pwdLastSet'
+       EQUALITY integerMatch
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange'
+       DESC 'NT pwdCanChange'
+       EQUALITY integerMatch
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange'
+       DESC 'NT pwdMustChange'
+       EQUALITY integerMatch
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+       
+attributetype ( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime'
+       DESC 'NT logonTime'
+       EQUALITY integerMatch
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime'
+       DESC 'NT logoffTime'
+       EQUALITY integerMatch
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime'
+       DESC 'NT kickoffTime'
+       EQUALITY integerMatch
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+
+##
+## string settings
+##
+attributetype ( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive'
+       DESC 'NT homeDrive'
+       EQUALITY caseIgnoreIA5Match
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript'
+       DESC 'NT scriptPath'
+       EQUALITY caseIgnoreIA5Match
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath'
+       DESC 'NT profilePath'
+       EQUALITY caseIgnoreIA5Match
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations'
+       DESC 'userWorkstations'
+       EQUALITY caseIgnoreIA5Match
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath'
+       DESC 'smbHome'
+       EQUALITY caseIgnoreIA5Match
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName'
+       DESC 'Windows NT domain to which the user belongs'
+       EQUALITY caseIgnoreIA5Match
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
+
 ##
 ## SID, of any type
 ##
 
 ##
 ## SID, of any type
 ##
 
-attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'ntSid'
+attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID'
        DESC 'Security ID'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
        DESC 'Security ID'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
@@ -124,7 +221,7 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'ntSid'
 ## Primary group SID, compatible with ntSid
 ##
 
 ## Primary group SID, compatible with ntSid
 ##
 
-attributetype ( 1.3.6.1.4.1.7165.2.1.23 NAME 'primaryGroupSID'
+attributetype ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID'
        DESC 'Primary Group Security ID'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
        DESC 'Primary Group Security ID'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
@@ -132,7 +229,7 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.23 NAME 'primaryGroupSID'
 ##
 ## group mapping attributes
 ##
 ##
 ## group mapping attributes
 ##
-attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'ntGroupType'
+attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType'
        DESC 'NT Group Type'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
        DESC 'NT Group Type'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
@@ -141,16 +238,21 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'ntGroupType'
 ## Store info on the domain
 ##
 
 ## Store info on the domain
 ##
 
-attributetype ( 1.3.6.1.4.1.7165.2.1.21 NAME 'nextUserRid'
+attributetype ( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid'
        DESC 'Next NT rid to give our for users'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
 
        DESC 'Next NT rid to give our for users'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
 
-attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'nextGroupRid'
+attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid'
        DESC 'Next NT rid to give out for groups'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
 
        DESC 'Next NT rid to give out for groups'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
 
+
+########################################################################
+##                            HISTORICAL                              ##
+########################################################################
+
 ##
 ## The smbPasswordEntry objectclass has been depreciated in favor of the
 ## sambaAccount objectclass
 ##
 ## The smbPasswordEntry objectclass has been depreciated in favor of the
 ## sambaAccount objectclass
@@ -168,17 +270,35 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'nextGroupRid'
 #               displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
 #               description $ userWorkstations $ primaryGroupID $ domain ))
 
 #               displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
 #               description $ userWorkstations $ primaryGroupID $ domain ))
 
+########################################################################
+##                        END OF HISTORICAL                           ##
+########################################################################
+
 ## The X.500 data model (and therefore LDAPv3) says that each entry can 
 ## only have one structural objectclass.  OpenLDAP 2.0 does not enforce 
 ## this currently but will in v2.1
 
 objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY
        DESC 'Samba Auxilary Account'
 ## The X.500 data model (and therefore LDAPv3) says that each entry can 
 ## only have one structural objectclass.  OpenLDAP 2.0 does not enforce 
 ## this currently but will in v2.1
 
 objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY
        DESC 'Samba Auxilary Account'
-       MUST ( uid $ ntSid ) 
+       MUST ( uid $ rid ) 
        MAY  ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
                logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ 
                displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
        MAY  ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
                logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ 
                displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
-               description $ userWorkstations $ primaryGroupSID $ domain ))
+               description $ userWorkstations $ primaryGroupID $ domain ))
+
+##
+## added new objectclass (and OID) for 3.0 to help us deal with backwards 
+## compatibility with 2.2 installations (e.g. ldapsam_compat)  --jerry
+##
+objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY
+       DESC 'Samba 3.0 Auxilary Account'
+       MUST ( uid $ sambaSID ) 
+       MAY  ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ 
+              sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ 
+              sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ 
+               displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ 
+              sambaProfilePath $ description $ sambaUserWorkstations $ 
+              sambaPrimaryGroupSID $ sambaDomainName ))
 
 ############################################################################
 ##
 
 ############################################################################
 ##
@@ -187,30 +307,19 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY
 ##
 ############################################################################
 
 ##
 ############################################################################
 
-##
-## Whole-of-domain info
-##
-
-objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL
-       DESC 'Samba Domain Information'
-       MUST ( domain $ nextGroupRid $ nextUserRid $ ntSid)) 
-
 ##
 ## Group mapping info
 ##
 objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY
        DESC 'Samba Group Mapping'
 ##
 ## Group mapping info
 ##
 objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY
        DESC 'Samba Group Mapping'
-       MUST ( gidNumber $ ntSid $ ntGroupType ) 
-       MAY  ( displayName $ description ))
+       MUST ( gidNumber $ sambaSID $ sambaGroupType ) 
+       MAY  ( displayName $ description $ cn ))
 
 ##
 
 ##
-## Used for Winbind experimentation
+## Whole-of-domain info
 ##
 ##
-#objectclass ( 1.3.6.1.4.1.7165.1.2.2.3 NAME 'uidPool' SUP top AUXILIARY
-#      DESC 'Pool for allocating UNIX uids'
-#      MUST ( uidNumber ) )
-
-#objectclass ( 1.3.6.1.4.1.7165.1.2.2.4 NAME 'gidPool' SUP top AUXILIARY
-#      DESC 'Pool for allocating UNIX gids'
-#      MUST ( gidNumber ) )
+objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL
+       DESC 'Samba Domain Information'
+       MUST ( sambaDomainName $ sambaNextGroupRid $ sambaNextUserRid $ 
+              sambaSID ) ) 
 
 
index 062521e726ca63f35cfec4fea8deec52eeefad89..9b9ceb60cacf62702eebd52454406ca43bb838dc 100644 (file)
@@ -665,7 +665,7 @@ static void fmtfp (char *buffer, size_t *currlen, size_t maxlen,
        int padlen = 0; /* amount to pad */
        int zpadlen = 0; 
        int caps = 0;
        int padlen = 0; /* amount to pad */
        int zpadlen = 0; 
        int caps = 0;
-       int index;
+       int idx;
        double intpart;
        double fracpart;
        double temp;
        double intpart;
        double fracpart;
        double temp;
@@ -724,11 +724,11 @@ static void fmtfp (char *buffer, size_t *currlen, size_t maxlen,
        do {
                temp = intpart*0.1;
                my_modf(temp, &intpart);
        do {
                temp = intpart*0.1;
                my_modf(temp, &intpart);
-               index = (int) ((temp -intpart +0.05)* 10.0);
-               /* index = (int) (((double)(temp*0.1) -intpart +0.05) *10.0); */
-               /* printf ("%llf, %f, %x\n", temp, intpart, index); */
+               idx = (int) ((temp -intpart +0.05)* 10.0);
+               /* idx = (int) (((double)(temp*0.1) -intpart +0.05) *10.0); */
+               /* printf ("%llf, %f, %x\n", temp, intpart, idx); */
                iconvert[iplace++] =
                iconvert[iplace++] =
-                       (caps? "0123456789ABCDEF":"0123456789abcdef")[index];
+                       (caps? "0123456789ABCDEF":"0123456789abcdef")[idx];
        } while (intpart && (iplace < 311));
        if (iplace == 311) iplace--;
        iconvert[iplace] = 0;
        } while (intpart && (iplace < 311));
        if (iplace == 311) iplace--;
        iconvert[iplace] = 0;
@@ -739,11 +739,11 @@ static void fmtfp (char *buffer, size_t *currlen, size_t maxlen,
                do {
                        temp = fracpart*0.1;
                        my_modf(temp, &fracpart);
                do {
                        temp = fracpart*0.1;
                        my_modf(temp, &fracpart);
-                       index = (int) ((temp -fracpart +0.05)* 10.0);
-                       /* index = (int) ((((temp/10) -fracpart) +0.05) *10); */
-                       /* printf ("%lf, %lf, %ld\n", temp, fracpart, index); */
+                       idx = (int) ((temp -fracpart +0.05)* 10.0);
+                       /* idx = (int) ((((temp/10) -fracpart) +0.05) *10); */
+                       /* printf ("%lf, %lf, %ld\n", temp, fracpart, idx ); */
                        fconvert[fplace++] =
                        fconvert[fplace++] =
-                       (caps? "0123456789ABCDEF":"0123456789abcdef")[index];
+                       (caps? "0123456789ABCDEF":"0123456789abcdef")[idx];
                } while(fracpart && (fplace < 311));
                if (fplace == 311) fplace--;
        }
                } while(fracpart && (fplace < 311));
                if (fplace == 311) fplace--;
        }
index 5740ce1b70b8cc1f335e545ff3e6e891259ed3c8..420a15c4dfa2e4cb1bf3dd2b9c14aa51210b1618 100644 (file)
@@ -1416,10 +1416,10 @@ static void init_globals(void)
 #endif /* WITH_LDAP_SAMCONFIG */
 
        string_set(&Globals.szLdapSuffix, "");
 #endif /* WITH_LDAP_SAMCONFIG */
 
        string_set(&Globals.szLdapSuffix, "");
+       string_set(&Globals.szLdapFilter, "(uid=%u)");
        string_set(&Globals.szLdapMachineSuffix, "");
        string_set(&Globals.szLdapUserSuffix, "");
 
        string_set(&Globals.szLdapMachineSuffix, "");
        string_set(&Globals.szLdapUserSuffix, "");
 
-       string_set(&Globals.szLdapFilter, "(&(uid=%u)(objectclass=sambaAccount))");
        string_set(&Globals.szLdapAdminDn, "");
        Globals.ldap_ssl = LDAP_SSL_ON;
        Globals.ldap_passwd_sync = LDAP_PASSWD_SYNC_OFF;
        string_set(&Globals.szLdapAdminDn, "");
        Globals.ldap_ssl = LDAP_SSL_ON;
        Globals.ldap_passwd_sync = LDAP_PASSWD_SYNC_OFF;
index b044850948449f510113ed8b378c44bc44b3b967..5dbf10c5b9d7c9faf0b6742dfff3bd86b9d0cfd9 100644 (file)
@@ -1,8 +1,8 @@
 /* 
 /* 
-   Unix SMB/CIFS implementation.
+   Unix SMB/CIFS mplementation.
    LDAP protocol helper functions for SAMBA
    Copyright (C) Jean Fran├žois Micouleau       1998
    LDAP protocol helper functions for SAMBA
    Copyright (C) Jean Fran├žois Micouleau       1998
-   Copyright (C) Gerald Carter                 2001
+   Copyright (C) Gerald Carter                 2001-2003
    Copyright (C) Shahms King                   2001
    Copyright (C) Andrew Bartlett               2002
    Copyright (C) Stefan (metze) Metzmacher     2002
    Copyright (C) Shahms King                   2001
    Copyright (C) Andrew Bartlett               2002
    Copyright (C) Stefan (metze) Metzmacher     2002
    
 */
 
    
 */
 
-#include "includes.h"
-
-#undef DBGC_CLASS
-#define DBGC_CLASS DBGC_PASSDB
-
 /* TODO:
 *  persistent connections: if using NSS LDAP, many connections are made
 *      however, using only one within Samba would be nice
 /* TODO:
 *  persistent connections: if using NSS LDAP, many connections are made
 *      however, using only one within Samba would be nice
 *  and/or winbind
 */
 
 *  and/or winbind
 */
 
+#include "includes.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_PASSDB
+
 #include <lber.h>
 #include <ldap.h>
 
 #include <lber.h>
 #include <ldap.h>
 
@@ -73,7 +73,7 @@ struct ldapsam_privates {
        DOM_SID domain_sid;
        
        /* configuration items */
        DOM_SID domain_sid;
        
        /* configuration items */
-       BOOL use_ntsid;
+       int schema_ver;
 
        BOOL permit_non_unix_accounts;
        
 
        BOOL permit_non_unix_accounts;
        
@@ -93,6 +93,257 @@ struct ldapsam_privates {
 
 static struct ldapsam_privates *static_ldap_state;
 
 
 static struct ldapsam_privates *static_ldap_state;
 
+/* specify schema versions between 2.2. and 3.0 */
+
+#define SCHEMAVER_SAMBAACCOUNT         1
+#define SCHEMAVER_SAMBASAMACCOUNT      2
+
+/* objectclass names */
+
+#define LDAP_OBJ_SAMBASAMACCOUNT       "sambaSamAccount"
+#define LDAP_OBJ_SAMBAACCOUNT          "sambaAccount"
+#define LDAP_OBJ_GROUPMAP              "sambaGroupMapping"
+#define LDAP_OBJ_DOMINFO               "sambaDomain"
+
+#define LDAP_OBJ_ACCOUNT               "account"
+#define LDAP_OBJ_POSIXACCOUNT          "posixAccount"
+
+/* some generic attributes that get reused a lot */
+
+#define LDAP_ATTRIBUTE_SID             "sambaSID"
+
+/* attribute map table indexes */
+
+#define LDAP_ATTR_LIST_END             0
+#define LDAP_ATTR_UID                  1
+#define LDAP_ATTR_UIDNUMBER            2
+#define LDAP_ATTR_GIDNUMBER            3
+#define LDAP_ATTR_UNIX_HOME            4
+#define LDAP_ATTR_PWD_LAST_SET         5
+#define LDAP_ATTR_PWD_CAN_CHANGE       6
+#define LDAP_ATTR_PWD_MUST_CHANGE      7
+#define LDAP_ATTR_LOGON_TIME           8
+#define LDAP_ATTR_LOGOFF_TIME          9
+#define LDAP_ATTR_KICKOFF_TIME         10
+#define LDAP_ATTR_CN                   11
+#define LDAP_ATTR_DISPLAY_NAME         12
+#define LDAP_ATTR_HOME_PATH            13
+#define LDAP_ATTR_LOGON_SCRIPT         14
+#define LDAP_ATTR_PROFILE_PATH         15
+#define LDAP_ATTR_DESC                 16
+#define LDAP_ATTR_USER_WKS             17
+#define LDAP_ATTR_USER_SID             18
+#define LDAP_ATTR_USER_RID             18
+#define LDAP_ATTR_PRIMARY_GROUP_SID    19
+#define LDAP_ATTR_PRIMARY_GROUP_RID    20
+#define LDAP_ATTR_LMPW                 21
+#define LDAP_ATTR_NTPW                 22
+#define LDAP_ATTR_DOMAIN               23
+#define LDAP_ATTR_OBJCLASS             24
+#define LDAP_ATTR_ACB_INFO             25
+#define LDAP_ATTR_NEXT_USERRID         26
+#define LDAP_ATTR_NEXT_GROUPRID                27
+#define LDAP_ATTR_DOM_SID              28
+#define LDAP_ATTR_HOME_DRIVE           29
+#define LDAP_ATTR_GROUP_SID            30
+#define LDAP_ATTR_GROUP_TYPE           31
+
+
+typedef struct _attrib_map_entry {
+       int             attrib;
+       const char      *name;
+} ATTRIB_MAP_ENTRY;
+
+
+/* attributes used by Samba 2.2 */
+
+static ATTRIB_MAP_ENTRY attrib_map_v22[] = {
+       { LDAP_ATTR_UID,                "uid"           },
+       { LDAP_ATTR_UIDNUMBER,          "uidNumber"     },
+       { LDAP_ATTR_GIDNUMBER,          "gidNumber"     },
+       { LDAP_ATTR_UNIX_HOME,          "homeDirectory" },
+       { LDAP_ATTR_PWD_LAST_SET,       "pwdLastSet"    },
+       { LDAP_ATTR_PWD_CAN_CHANGE,     "pwdCanChange"  },
+       { LDAP_ATTR_PWD_MUST_CHANGE,    "pwdMustChange" },
+       { LDAP_ATTR_LOGON_TIME,         "logonTime"     },
+       { LDAP_ATTR_LOGOFF_TIME,        "logoffTime"    },
+       { LDAP_ATTR_KICKOFF_TIME,       "kickoffTime"   },
+       { LDAP_ATTR_CN,                 "cn"            },
+       { LDAP_ATTR_DISPLAY_NAME,       "displayName"   },
+       { LDAP_ATTR_HOME_PATH,          "smbHome"       },
+       { LDAP_ATTR_HOME_DRIVE,         "homeDrives"    },
+       { LDAP_ATTR_LOGON_SCRIPT,       "scriptPath"    },
+       { LDAP_ATTR_PROFILE_PATH,       "profilePath"   },
+       { LDAP_ATTR_DESC,               "description"   },
+       { LDAP_ATTR_USER_WKS,           "userWorkstations"},
+       { LDAP_ATTR_USER_RID,           "rid"           },
+       { LDAP_ATTR_PRIMARY_GROUP_RID,  "primaryGroupID"},
+       { LDAP_ATTR_LMPW,               "lmPassword"    },
+       { LDAP_ATTR_NTPW,               "ntPassword"    },
+       { LDAP_ATTR_DOMAIN,             "domain"        },
+       { LDAP_ATTR_OBJCLASS,           "objectClass"   },
+       { LDAP_ATTR_ACB_INFO,           "acctFlags"     },
+       { LDAP_ATTR_LIST_END,           NULL            }
+};
+
+/* attributes used by Samba 3.0's sambaSamAccount */
+
+static ATTRIB_MAP_ENTRY attrib_map_v30[] = {
+       { LDAP_ATTR_UID,                "uid"                   },
+       { LDAP_ATTR_UIDNUMBER,          "uidNumber"             },
+       { LDAP_ATTR_GIDNUMBER,          "gidNumber"             },
+       { LDAP_ATTR_UNIX_HOME,          "homeDirectory"         },
+       { LDAP_ATTR_PWD_LAST_SET,       "sambaPwdLastSet"       },
+       { LDAP_ATTR_PWD_CAN_CHANGE,     "sambaPwdCanChange"     },
+       { LDAP_ATTR_PWD_MUST_CHANGE,    "sambaPwdMustChange"    },
+       { LDAP_ATTR_LOGON_TIME,         "sambaLogonTime"        },
+       { LDAP_ATTR_LOGOFF_TIME,        "sambaLogoffTime"       },
+       { LDAP_ATTR_KICKOFF_TIME,       "sambaKickoffTime"      },
+       { LDAP_ATTR_CN,                 "cn"                    },
+       { LDAP_ATTR_DISPLAY_NAME,       "displayName"           },
+       { LDAP_ATTR_HOME_DRIVE,         "sambaHoneDrive"        },
+       { LDAP_ATTR_HOME_PATH,          "sambaHomePath"         },
+       { LDAP_ATTR_LOGON_SCRIPT,       "sambaLogonScript"      },
+       { LDAP_ATTR_PROFILE_PATH,       "sambaProfilePath"      },
+       { LDAP_ATTR_DESC,               "description"           },
+       { LDAP_ATTR_USER_WKS,           "sambaUserWorkstations" },
+       { LDAP_ATTR_USER_SID,           "sambaSID"              },
+       { LDAP_ATTR_PRIMARY_GROUP_SID,  "sambaPrimaryGroupSID"  },
+       { LDAP_ATTR_LMPW,               "sambaLMPassword"       },
+       { LDAP_ATTR_NTPW,               "sambaNTPassword"       },
+       { LDAP_ATTR_DOMAIN,             "sambaDomainName"       },
+       { LDAP_ATTR_OBJCLASS,           "objectClass"           },
+       { LDAP_ATTR_ACB_INFO,           "sambaAcctFlags"        },
+       { LDAP_ATTR_LIST_END,           NULL                    }
+};
+
+/* attributes used for alalocating RIDs */
+
+static ATTRIB_MAP_ENTRY dominfo_attr_list[] = {
+       { LDAP_ATTR_DOMAIN,             "sambaDomainName"       },
+       { LDAP_ATTR_NEXT_USERRID,       "sambaNextUserRid"      },
+       { LDAP_ATTR_NEXT_GROUPRID,      "sambaNextGroupRid"     },
+       { LDAP_ATTR_DOM_SID,            "sambaSID"              },
+       { LDAP_ATTR_LIST_END,           NULL                    },
+};
+
+/* Samba 3.0 group mapping attributes */
+
+static ATTRIB_MAP_ENTRY groupmap_attr_list[] = {
+       { LDAP_ATTR_GIDNUMBER,          "gidNumber"             },
+       { LDAP_ATTR_GROUP_SID,          "sambaSID"              },
+       { LDAP_ATTR_GROUP_TYPE,         "sambaGroupType"        },
+       { LDAP_ATTR_DESC,               "description"           },
+       { LDAP_ATTR_DISPLAY_NAME,       "displayName"           },
+       { LDAP_ATTR_CN,                 "cn"                    },
+       { LDAP_ATTR_LIST_END,           NULL                    }       
+};
+
+/**********************************************************************
+ perform a simple table lookup and return the attribute name 
+ **********************************************************************/
+static const char* get_attr_key2string( ATTRIB_MAP_ENTRY table[], int key )
+{
+       int i = 0;
+       
+       while ( table[i].attrib != LDAP_ATTR_LIST_END ) {
+               if ( table[i].attrib == key )
+                       return table[i].name;
+               i++;
+       }
+       
+       return NULL;
+}
+
+/**********************************************************************
+ get the attribute name given a user schame version 
+ **********************************************************************/
+static const char* get_userattr_key2string( int schema_ver, int key )
+{
+       switch ( schema_ver )
+       {
+               case SCHEMAVER_SAMBAACCOUNT:
+                       return get_attr_key2string( attrib_map_v22, key );
+                       
+               case SCHEMAVER_SAMBASAMACCOUNT:
+                       return get_attr_key2string( attrib_map_v30, key );
+                       
+               default:
+                       DEBUG(0,("get_userattr_key2string: unknown schema version specified\n"));
+                       break;
+       }
+       return NULL;
+}
+
+/**********************************************************************
+ Return the list of attribute names from a mapping table
+ **********************************************************************/
+
+static char** get_attr_list( ATTRIB_MAP_ENTRY table[] )
+{
+       char **names;
+       int i = 0;
+       
+       while ( table[i].attrib != LDAP_ATTR_LIST_END )
+               i++;
+       i++;
+
+       names = (char**)malloc( sizeof(char*)*i );
+       if ( !names ) {
+               DEBUG(0,("get_attr_list: out of memory\n"));
+               return NULL;
+       }
+
+       i = 0;
+       while ( table[i].attrib != LDAP_ATTR_LIST_END ) {
+               names[i] = strdup( table[i].name );
+               i++;
+       }
+       names[i] = NULL;
+       
+       return names;
+}
+
+/*********************************************************************
+ Cleanup 
+ ********************************************************************/
+
+static void free_attr_list( char **list )
+{
+       int i = 0;
+
+       if ( !list )
+               return; 
+
+       while ( list[i] )
+               SAFE_FREE( list[i] );
+
+       SAFE_FREE( list );
+}
+
+/**********************************************************************
+ return the list of attribute names given a user schema version 
+ **********************************************************************/
+
+static char** get_userattr_list( int schema_ver )
+{
+       switch ( schema_ver ) 
+       {
+               case SCHEMAVER_SAMBAACCOUNT:
+                       return get_attr_list( attrib_map_v22 );
+                       
+               case SCHEMAVER_SAMBASAMACCOUNT:
+                       return get_attr_list( attrib_map_v30 );
+               default:
+                       DEBUG(0,("get_userattr_list: unknown schema version specified!\n"));
+                       break;
+       }
+       
+       return NULL;
+}
+
 /*******************************************************************
  find the ldap password
 ******************************************************************/
 /*******************************************************************
  find the ldap password
 ******************************************************************/
@@ -156,23 +407,7 @@ static BOOL fetch_ldapsam_pw(char **dn, char** pw)
        
        return True;
 }
        
        return True;
 }
-
-static const char *attr[] = {"uid", "pwdLastSet", "logonTime",
-                            "logoffTime", "kickoffTime", "cn",
-                            "pwdCanChange", "pwdMustChange",
-                            "displayName", "homeDrive",
-                            "smbHome", "scriptPath",
-                            "profilePath", "description",
-                            "userWorkstations", "rid", "ntSid",
-                            "primaryGroupID", "lmPassword",
-                            "ntPassword", "acctFlags",
-                            "domain", "objectClass", 
-                            "uidNumber", "gidNumber", 
-                            "homeDirectory", NULL };
-
-static const char *domain_info_attrs[] = {"domain", "nextUserRid", 
-                                         "nextGroupRid", "ntSid", NULL };
-
+                            
 /*******************************************************************
  open a connection to the ldap server.
 ******************************************************************/
 /*******************************************************************
  open a connection to the ldap server.
 ******************************************************************/
@@ -542,9 +777,12 @@ static int ldapsam_retry_open(struct ldapsam_privates *ldap_state, int *attempts
 }
 
 
 }
 
 
+/*********************************************************************
+ ********************************************************************/
+
 static int ldapsam_search(struct ldapsam_privates *ldap_state, 
                          const char *base, int scope, const char *filter, 
 static int ldapsam_search(struct ldapsam_privates *ldap_state, 
                          const char *base, int scope, const char *filter, 
-                         const char *attrs[], int attrsonly, 
+                         char *attrs[], int attrsonly, 
                          LDAPMessage **res)
 {
        int             rc = LDAP_SERVER_DOWN;
                          LDAPMessage **res)
 {
        int             rc = LDAP_SERVER_DOWN;
@@ -563,7 +801,7 @@ static int ldapsam_search(struct ldapsam_privates *ldap_state,
                        continue;
                
                rc = ldap_search_s(ldap_state->ldap_struct, base, scope, 
                        continue;
                
                rc = ldap_search_s(ldap_state->ldap_struct, base, scope, 
-                                  utf8_filter, (char **)attrs, attrsonly, res);
+                                  utf8_filter, attrs, attrsonly, res);
        }
        
        if (rc == LDAP_SERVER_DOWN) {
        }
        
        if (rc == LDAP_SERVER_DOWN) {
@@ -691,14 +929,15 @@ static int ldapsam_extended_operation(struct ldapsam_privates *ldap_state, LDAP_
 /*******************************************************************
  run the search by name.
 ******************************************************************/
 /*******************************************************************
  run the search by name.
 ******************************************************************/
-static int ldapsam_search_suffix (struct ldapsam_privates *ldap_state, const char *filter, const char **search_attr, LDAPMessage ** result)
+static int ldapsam_search_suffix (struct ldapsam_privates *ldap_state, const char *filter, 
+                               char **search_attr, LDAPMessage ** result)
 {
        int scope = LDAP_SCOPE_SUBTREE;
        int rc;
 
        DEBUG(2, ("ldapsam_search_suffix: searching for:[%s]\n", filter));
 
 {
        int scope = LDAP_SCOPE_SUBTREE;
        int rc;
 
        DEBUG(2, ("ldapsam_search_suffix: searching for:[%s]\n", filter));
 
-       rc = ldapsam_search(ldap_state, lp_ldap_suffix (), scope, filter, search_attr, 0, result);
+       rc = ldapsam_search(ldap_state, lp_ldap_suffix(), scope, filter, search_attr, 0, result);
 
        if (rc != LDAP_SUCCESS) {
                char *ld_error = NULL;
 
        if (rc != LDAP_SUCCESS) {
                char *ld_error = NULL;
@@ -714,11 +953,36 @@ static int ldapsam_search_suffix (struct ldapsam_privates *ldap_state, const cha
        return rc;
 }
 
        return rc;
 }
 
+/*******************************************************************
+ generate the LDAP search filter for the objectclass based on the 
+ version of the schema we are using 
+ ******************************************************************/
+
+static const char* get_objclass_filter( int schema_ver )
+{
+       static fstring objclass_filter;
+       
+       switch( schema_ver ) 
+       {
+               case SCHEMAVER_SAMBAACCOUNT:
+                       snprintf( objclass_filter, sizeof(objclass_filter)-1, "(objectclass=%s)", LDAP_OBJ_SAMBAACCOUNT );
+                       break;
+               case SCHEMAVER_SAMBASAMACCOUNT:
+                       snprintf( objclass_filter, sizeof(objclass_filter)-1, "(objectclass=%s)", LDAP_OBJ_SAMBASAMACCOUNT );
+                       break;
+               default:
+                       DEBUG(0,("ldapsam_search_suffix_by_name(): Invalid schema version specified!\n"));
+                       break;
+       }
+       
+       return objclass_filter; 
+}
+
 /*******************************************************************
  run the search by name.
 ******************************************************************/
 static int ldapsam_search_suffix_by_name (struct ldapsam_privates *ldap_state, const char *user,
 /*******************************************************************
  run the search by name.
 ******************************************************************/
 static int ldapsam_search_suffix_by_name (struct ldapsam_privates *ldap_state, const char *user,
-                            LDAPMessage ** result)
+                            LDAPMessage ** result, char **attr)
 {
        pstring filter;
        char *escape_user = escape_ldap_string_alloc(user);
 {
        pstring filter;
        char *escape_user = escape_ldap_string_alloc(user);
@@ -731,7 +995,8 @@ static int ldapsam_search_suffix_by_name (struct ldapsam_privates *ldap_state, c
         * in the filter expression, replace %u with the real name
         * so in ldap filter, %u MUST exist :-)
         */
         * in the filter expression, replace %u with the real name
         * so in ldap filter, %u MUST exist :-)
         */
-       pstrcpy(filter, lp_ldap_filter());
+       snprintf(filter, sizeof(filter)-1, "(&%s%s)", lp_ldap_filter(), 
+               get_objclass_filter(ldap_state->schema_ver));
 
        /* 
         * have to use this here because $ is filtered out
 
        /* 
         * have to use this here because $ is filtered out
@@ -749,15 +1014,17 @@ static int ldapsam_search_suffix_by_name (struct ldapsam_privates *ldap_state, c
  run the search by rid.
 ******************************************************************/
 static int ldapsam_search_suffix_by_rid (struct ldapsam_privates *ldap_state, 
  run the search by rid.
 ******************************************************************/
 static int ldapsam_search_suffix_by_rid (struct ldapsam_privates *ldap_state, 
-                                          uint32 rid,
-                                          LDAPMessage ** result)
+                                       uint32 rid, LDAPMessage ** result, 
+                                       char **attr)
 {
        pstring filter;
        int rc;
 
 {
        pstring filter;
        int rc;
 
-       /* check if the user rid exsists, if not, try searching on the uid */
+       /* check if the user rid exists, if not, try searching on the uid */
+
+       snprintf(filter, sizeof(filter)-1, "(&(rid=%i)%s)", rid, 
+               get_objclass_filter(ldap_state->schema_ver));
        
        
-       snprintf(filter, sizeof(filter) - 1, "rid=%i", rid);
        rc = ldapsam_search_suffix(ldap_state, filter, attr, result);
        
        return rc;
        rc = ldapsam_search_suffix(ldap_state, filter, attr, result);
        
        return rc;
@@ -767,8 +1034,8 @@ static int ldapsam_search_suffix_by_rid (struct ldapsam_privates *ldap_state,
  run the search by SID.
 ******************************************************************/
 static int ldapsam_search_suffix_by_sid (struct ldapsam_privates *ldap_state, 
  run the search by SID.
 ******************************************************************/
 static int ldapsam_search_suffix_by_sid (struct ldapsam_privates *ldap_state, 
-                                          const DOM_SID *sid,
-                                          LDAPMessage ** result)
+                                       const DOM_SID *sid, LDAPMessage ** result, 
+                                       char **attr)
 {
        pstring filter;
        int rc;
 {
        pstring filter;
        int rc;
@@ -776,7 +1043,11 @@ static int ldapsam_search_suffix_by_sid (struct ldapsam_privates *ldap_state,
 
        /* check if the user rid exsists, if not, try searching on the uid */
 
 
        /* check if the user rid exsists, if not, try searching on the uid */
 
-       snprintf(filter, sizeof(filter) - 1, "ntSid=%s", sid_to_string(sid_string, sid));
+       snprintf(filter, sizeof(filter)-1, "(&(%s=%s)%s)", 
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
+               sid_to_string(sid_string, sid), 
+               get_objclass_filter(ldap_state->schema_ver));
+               
        rc = ldapsam_search_suffix(ldap_state, filter, attr, result);
        
        return rc;
        rc = ldapsam_search_suffix(ldap_state, filter, attr, result);
        
        return rc;
@@ -789,6 +1060,10 @@ static BOOL get_single_attribute (LDAP * ldap_struct, LDAPMessage * entry,
                                  const char *attribute, pstring value)
 {
        char **values;
                                  const char *attribute, pstring value)
 {
        char **values;
+       
+       if ( !attribute )
+               return False;
+               
        value[0] = '\0';
 
        if ((values = ldap_get_values (ldap_struct, entry, attribute)) == NULL) {
        value[0] = '\0';
 
        if ((values = ldap_get_values (ldap_struct, entry, attribute)) == NULL) {
@@ -797,9 +1072,7 @@ static BOOL get_single_attribute (LDAP * ldap_struct, LDAPMessage * entry,
                return False;
        }
        
                return False;
        }
        
-       if (convert_string(CH_UTF8, CH_UNIX,
-               values[0], -1,
-               value, sizeof(pstring)) == (size_t)-1)
+       if (convert_string(CH_UTF8, CH_UNIX,values[0], -1, value, sizeof(pstring)) == (size_t)-1)
        {
                DEBUG(1, ("get_single_attribute: string conversion of [%s] = [%s] failed!\n", 
                          attribute, values[0]));
        {
                DEBUG(1, ("get_single_attribute: string conversion of [%s] = [%s] failed!\n", 
                          attribute, values[0]));
@@ -827,11 +1100,12 @@ static void make_a_mod (LDAPMod *** modlist, int modop, const char *attribute, c
 
        mods = *modlist;
 
 
        mods = *modlist;
 
-       if (attribute == NULL || *attribute == '\0')
-               return;
+       /* sanity checks on the mod values */
 
 
-#if 0
-       /* Why do we need this??? -- vl */
+       if (attribute == NULL || *attribute == '\0')
+               return; 
+#if 0  /* commented out after discussion with abartlet.  Do not reenable.
+          left here so other so re-add similar code   --jerry */
                if (value == NULL || *value == '\0')
                return;
 #endif
                if (value == NULL || *value == '\0')
                return;
 #endif
@@ -956,7 +1230,7 @@ static void make_ldap_mod(LDAP *ldap_struct, LDAPMessage *existing,
 static NTSTATUS ldapsam_delete_entry(struct ldapsam_privates *ldap_state,
                                     LDAPMessage *result,
                                     const char *objectclass,
 static NTSTATUS ldapsam_delete_entry(struct ldapsam_privates *ldap_state,
                                     LDAPMessage *result,
                                     const char *objectclass,
-                                    const char **attrs)
+                                    char **attrs)
 {
        int rc;
        LDAPMessage *entry;
 {
        int rc;
        LDAPMessage *entry;
@@ -987,17 +1261,18 @@ static NTSTATUS ldapsam_delete_entry(struct ldapsam_privates *ldap_state,
        }
 
        /* Ok, delete only the SAM attributes */
        }
 
        /* Ok, delete only the SAM attributes */
-
+       
        for (name = ldap_first_attribute(ldap_state->ldap_struct, entry, &ptr);
             name != NULL;
        for (name = ldap_first_attribute(ldap_state->ldap_struct, entry, &ptr);
             name != NULL;
-            name = ldap_next_attribute(ldap_state->ldap_struct, entry, ptr)) {
-
-               const char **attrib;
+            name = ldap_next_attribute(ldap_state->ldap_struct, entry, ptr)) 
+       {
+               char **attrib;
 
                /* We are only allowed to delete the attributes that
                   really exist. */
 
 
                /* We are only allowed to delete the attributes that
                   really exist. */
 
-               for (attrib = attrs; *attrib != NULL; attrib++) {
+               for (attrib = attrs; *attrib != NULL; attrib++) 
+               {
                        if (StrCaseCmp(*attrib, name) == 0) {
                                DEBUG(10, ("deleting attribute %s\n", name));
                                make_a_mod(&mods, LDAP_MOD_DELETE, name, NULL);
                        if (StrCaseCmp(*attrib, name) == 0) {
                                DEBUG(10, ("deleting attribute %s\n", name));
                                make_a_mod(&mods, LDAP_MOD_DELETE, name, NULL);
@@ -1006,7 +1281,7 @@ static NTSTATUS ldapsam_delete_entry(struct ldapsam_privates *ldap_state,
 
                ldap_memfree(name);
        }
 
                ldap_memfree(name);
        }
-
+       
        if (ptr != NULL) {
                ber_free(ptr, 0);
        }
        if (ptr != NULL) {
                ber_free(ptr, 0);
        }
@@ -1040,15 +1315,19 @@ static int ldapsam_search_domain_info(struct ldapsam_privates *ldap_state,
 {
        pstring filter;
        int rc;
 {
        pstring filter;
        int rc;
+       char **attr_list;
 
 
-       slprintf(filter, sizeof(filter)-1,
-                "(&(objectClass=sambaDomain)(domain=%s))",
-                ldap_state->domain_name);
+       snprintf(filter, sizeof(filter)-1, "(&(objectClass=%s)(%s=%s))",
+               LDAP_OBJ_DOMINFO,
+               get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN), 
+               ldap_state->domain_name);
 
        DEBUG(2, ("Searching for:[%s]\n", filter));
 
 
        DEBUG(2, ("Searching for:[%s]\n", filter));
 
-       rc = ldapsam_search_suffix(ldap_state, filter,
-                                  domain_info_attrs, result);
+
+       attr_list = get_attr_list( dominfo_attr_list );
+       rc = ldapsam_search_suffix(ldap_state, filter, attr_list , result);
+       free_attr_list( attr_list );
 
        if (rc != LDAP_SUCCESS) {
                DEBUG(2,("Problem during LDAPsearch: %s\n", ldap_err2string (rc)));
 
        if (rc != LDAP_SUCCESS) {
                DEBUG(2,("Problem during LDAPsearch: %s\n", ldap_err2string (rc)));
@@ -1071,8 +1350,9 @@ static uint32 entry_to_rid(struct ldapsam_privates *ldap_state, LDAPMessage *ent
        DOM_SID dom_sid;
        uint32 rid;
 
        DOM_SID dom_sid;
        uint32 rid;
 
-       if (!get_single_attribute(ldap_state->ldap_struct, entry, "ntSid",
-                                 sid_string)) {
+       if (!get_single_attribute(ldap_state->ldap_struct, entry, 
+               LDAP_ATTRIBUTE_SID, sid_string)) 
+       {
                return 0;
        }
        
                return 0;
        }
        
@@ -1120,13 +1400,14 @@ static uint32 search_next_allocated_rid(struct ldapsam_privates *ldap_state, int
        uint32 next_rid;
        uint32 count;
        uint32 rid;
        uint32 next_rid;
        uint32 count;
        uint32 rid;
-       const char *sid_attr[] = {"ntSid", NULL};
-       const char *filter = "(ntSid=*)";
+       char *sid_attr[] = {LDAP_ATTRIBUTE_SID, NULL};
+       fstring filter;
+       
+       snprintf( filter, sizeof(filter)-1, "(%s=*)", LDAP_ATTRIBUTE_SID );
 
        DEBUG(2, ("search_top_allocated_rid: searching for:[%s]\n", filter));
 
 
        DEBUG(2, ("search_top_allocated_rid: searching for:[%s]\n", filter));
 
-       rc = ldapsam_search_suffix(ldap_state, filter, 
-                                  sid_attr, &result);
+       rc = ldapsam_search_suffix(ldap_state, filter, sid_attr, &result);
 
        if (rc != LDAP_SUCCESS) {
                DEBUG(3, ("LDAP search failed! cannot find base for NUA RIDs: %s\n", ldap_err2string(rc)));
 
        if (rc != LDAP_SUCCESS) {
                DEBUG(3, ("LDAP search failed! cannot find base for NUA RIDs: %s\n", ldap_err2string(rc)));
@@ -1199,9 +1480,9 @@ static NTSTATUS add_new_domain_info(struct ldapsam_privates *ldap_state)
        int rc;
        int ldap_op;
        LDAPMessage *result = NULL;
        int rc;
        int ldap_op;
        LDAPMessage *result = NULL;
-       LDAPMessage *entry  = NULL;
        char *dn = NULL;
        int num_result;
        char *dn = NULL;
        int num_result;
+       char **attr_list;
 
        uint32 next_allocated_user_rid;
        uint32 next_allocated_group_rid;
 
        uint32 next_allocated_user_rid;
        uint32 next_allocated_group_rid;
@@ -1216,8 +1497,14 @@ static NTSTATUS add_new_domain_info(struct ldapsam_privates *ldap_state)
                return NT_STATUS_UNSUCCESSFUL;
        }
 
                return NT_STATUS_UNSUCCESSFUL;
        }
 
-       slprintf (filter, sizeof (filter) - 1, "domain=%s", ldap_state->domain_name);
-       rc = ldapsam_search_suffix(ldap_state, filter, domain_info_attrs, &result);
+       slprintf (filter, sizeof (filter) - 1, "(&(%s=%s)(objectclass=%s))", 
+               get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN), 
+               ldap_state->domain_name, LDAP_OBJ_DOMINFO);
+
+       attr_list = get_attr_list( dominfo_attr_list );
+       rc = ldapsam_search_suffix(ldap_state, filter, attr_list, &result);
+       free_attr_list( attr_list );
+
        if (rc != LDAP_SUCCESS) {
                return NT_STATUS_UNSUCCESSFUL;
        }
        if (rc != LDAP_SUCCESS) {
                return NT_STATUS_UNSUCCESSFUL;
        }
@@ -1230,43 +1517,32 @@ static NTSTATUS add_new_domain_info(struct ldapsam_privates *ldap_state)
                return NT_STATUS_UNSUCCESSFUL;
        }
        
                return NT_STATUS_UNSUCCESSFUL;
        }
        
-       /* Check if we need to update an existing entry */
-       if (num_result == 1) {
-               char *tmp_dn;
-               
-               DEBUG(3,("Domain exists without samba properties: adding them\n"));
-               ldap_op = LDAP_MOD_REPLACE;
-               entry = ldap_first_entry (ldap_state->ldap_struct, result);
-               tmp_dn = ldap_get_dn (ldap_state->ldap_struct, entry);
-               asprintf (&dn, "%s", tmp_dn);
-               ldap_memfree (tmp_dn);
-       } else {
-               /* Check if we need to add an entry */
-               DEBUG(3,("Adding new domain\n"));
-               ldap_op = LDAP_MOD_ADD;
-               asprintf (&dn, "domain=%s,%s", ldap_state->domain_name, lp_ldap_suffix ());
-       }
+       /* Check if we need to add an entry */
+       DEBUG(3,("Adding new domain\n"));
+       ldap_op = LDAP_MOD_ADD;
+       asprintf (&dn, "%s=%s,%s", get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
+               ldap_state->domain_name, lp_ldap_suffix());
 
        /* Free original search */
        ldap_msgfree(result);
 
 
        /* Free original search */
        ldap_msgfree(result);
 
-       if (!dn) {
+       if (!dn)
                return NT_STATUS_NO_MEMORY;
                return NT_STATUS_NO_MEMORY;
-       }
 
        /* make the changes - the entry *must* not already have samba attributes */
 
        /* make the changes - the entry *must* not already have samba attributes */
-       make_a_mod(&mods, LDAP_MOD_ADD, "domain", ldap_state->domain_name);
+       make_a_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN), 
+               ldap_state->domain_name);
 
        sid_to_string(tmp, &ldap_state->domain_sid);
 
        sid_to_string(tmp, &ldap_state->domain_sid);
-       make_a_mod(&mods, LDAP_MOD_ADD, "ntSid", tmp);
+       make_a_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOM_SID), tmp);
 
        snprintf(tmp, sizeof(tmp)-1, "%i", next_allocated_user_rid);
 
        snprintf(tmp, sizeof(tmp)-1, "%i", next_allocated_user_rid);
-       make_a_mod(&mods, LDAP_MOD_ADD, "nextUserRid", tmp);
+       make_a_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_USERRID), tmp);
 
        snprintf(tmp, sizeof(tmp)-1, "%i", next_allocated_group_rid);
 
        snprintf(tmp, sizeof(tmp)-1, "%i", next_allocated_group_rid);
-       make_a_mod(&mods, LDAP_MOD_ADD, "nextGroupRid", tmp);
+       make_a_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_GROUPRID), tmp);
 
 
-       make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", "sambaDomain");
+       make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_DOMINFO);
 
        switch(ldap_op)
        {
 
        switch(ldap_op)
        {
@@ -1308,14 +1584,14 @@ static NTSTATUS add_new_domain_info(struct ldapsam_privates *ldap_state)
 static BOOL sid_in_use(struct ldapsam_privates *ldap_state, 
                       const DOM_SID *sid, int *error) 
 {
 static BOOL sid_in_use(struct ldapsam_privates *ldap_state, 
                       const DOM_SID *sid, int *error) 
 {
-       pstring filter;
+       fstring filter;
        fstring sid_string;
        LDAPMessage *result = NULL;
        int count;
        int rc;
        fstring sid_string;
        LDAPMessage *result = NULL;
        int count;
        int rc;
-       const char *sid_attr[] = {"ntSid", NULL};
+       char *sid_attr[] = {LDAP_ATTRIBUTE_SID, NULL};
 
 
-       slprintf(filter, sizeof(filter)-1, "(ntSid=%s)", sid_to_string(sid_string, sid));
+       slprintf(filter, sizeof(filter)-1, "(%s=%s)", LDAP_ATTRIBUTE_SID, sid_to_string(sid_string, sid));
 
        rc = ldapsam_search_suffix(ldap_state, filter, sid_attr, &result);
 
 
        rc = ldapsam_search_suffix(ldap_state, filter, sid_attr, &result);
 
@@ -1363,12 +1639,14 @@ static NTSTATUS ldapsam_next_rid(struct ldapsam_privates *ldap_state, uint32 *ri
        uint32 next_rid;
        int attempts = 0;
 
        uint32 next_rid;
        int attempts = 0;
 
-       if (!ldap_state->use_ntsid) {
-               DEBUG(0, ("Allocated RIDs require 'ldap use ntSid' to be set in smb.conf\n"));
+       if ( ldap_state->schema_ver != SCHEMAVER_SAMBASAMACCOUNT ) {
+               DEBUG(0, ("Allocated RIDs require the %s objectclass used by 'ldapsam'\n", 
+                       LDAP_OBJ_SAMBASAMACCOUNT));
                return NT_STATUS_UNSUCCESSFUL;
        }
        
                return NT_STATUS_UNSUCCESSFUL;
        }
        
-       while (attempts < 10) {
+       while (attempts < 10) 
+       {
                char *ld_error;
                if (ldapsam_search_domain_info(ldap_state, &result)) {
                        return ret;
                char *ld_error;
                if (ldapsam_search_domain_info(ldap_state, &result)) {
                        return ret;
@@ -1445,7 +1723,9 @@ static NTSTATUS ldapsam_next_rid(struct ldapsam_privates *ldap_state, uint32 *ri
 
                        /* Try to make the modification atomically by enforcing the
                           old value in the delete mod. */
 
                        /* Try to make the modification atomically by enforcing the
                           old value in the delete mod. */
-                       make_ldap_mod(ldap_state->ldap_struct, entry, &mods, "nextUserRid", next_rid_string);
+                       make_ldap_mod(ldap_state->ldap_struct, entry, &mods, 
+                               get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_USERRID), 
+                               next_rid_string);
                        break;
 
                case GROUP_RID_TYPE:
                        break;
 
                case GROUP_RID_TYPE:
@@ -1455,7 +1735,9 @@ static NTSTATUS ldapsam_next_rid(struct ldapsam_privates *ldap_state, uint32 *ri
 
                        /* Try to make the modification atomically by enforcing the
                           old value in the delete mod. */
 
                        /* Try to make the modification atomically by enforcing the
                           old value in the delete mod. */
-                       make_ldap_mod(ldap_state->ldap_struct, entry, &mods, "nextGroupRid", next_rid_string);
+                       make_ldap_mod(ldap_state->ldap_struct, entry, &mods,
+                               get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_GROUPRID),
+                               next_rid_string);
                        break;
                }
 
                        break;
                }
 
@@ -1465,8 +1747,10 @@ static NTSTATUS ldapsam_next_rid(struct ldapsam_privates *ldap_state, uint32 *ri
                        pstring domain_sid_string;
                        int error = 0;
 
                        pstring domain_sid_string;
                        int error = 0;
 
-                       if (!get_single_attribute(ldap_state->ldap_struct, result, "ntSid",
-                                                 domain_sid_string)) {
+                       if (!get_single_attribute(ldap_state->ldap_struct, result,
+                               get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOM_SID),
+                               domain_sid_string)) 
+                       {
                                ldap_mods_free(mods, 1);
                                ldap_memfree(dn);
                                ldap_msgfree(result);
                                ldap_mods_free(mods, 1);
                                ldap_memfree(dn);
                                ldap_msgfree(result);
@@ -1547,29 +1831,36 @@ static BOOL get_unix_attributes (struct ldapsam_privates *ldap_state,
        }
 
        for (values=ldap_values;*values;values++) {
        }
 
        for (values=ldap_values;*values;values++) {
-               if (strcasecmp(*values, "posixAccount") == 0) {
+               if (strcasecmp(*values, LDAP_OBJ_POSIXACCOUNT ) == 0) {
                        break;
                }
        }
        
        if (!*values) { /*end of array, no posixAccount */
                        break;
                }
        }
        
        if (!*values) { /*end of array, no posixAccount */
-               DEBUG(10, ("user does not have posixAcccount attributes\n"));
+               DEBUG(10, ("user does not have %s attributes\n", LDAP_OBJ_POSIXACCOUNT));
                ldap_value_free(ldap_values);
                return False;
        }
        ldap_value_free(ldap_values);
 
                ldap_value_free(ldap_values);
                return False;
        }
        ldap_value_free(ldap_values);
 
-       if (!get_single_attribute(ldap_state->ldap_struct, entry, "homeDirectory", homedir)) 
+       if ( !get_single_attribute(ldap_state->ldap_struct, entry, 
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_UNIX_HOME), homedir) ) 
+       {
                return False;
                return False;
+       }
        
        
-       if (!get_single_attribute(ldap_state->ldap_struct, entry, "gidNumber", temp))
+       if ( !get_single_attribute(ldap_state->ldap_struct, entry, 
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_GIDNUMBER), temp) )
+       {
                return False;
                return False;
+       }
        
        *gid = (gid_t)atol(temp);
 
        pdb_set_unix_homedir(sampass, homedir, PDB_SET);
        
        
        *gid = (gid_t)atol(temp);
 
        pdb_set_unix_homedir(sampass, homedir, PDB_SET);
        
-       DEBUG(10, ("user has posixAcccount attributes\n"));
+       DEBUG(10, ("user has %s attributes\n", LDAP_OBJ_POSIXACCOUNT));
+       
        return True;
 }
 
        return True;
 }
 
@@ -1652,37 +1943,65 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
        pdb_set_domain(sampass, domain, PDB_DEFAULT);
        pdb_set_nt_username(sampass, nt_username, PDB_SET);
        
        pdb_set_domain(sampass, domain, PDB_DEFAULT);
        pdb_set_nt_username(sampass, nt_username, PDB_SET);
        
-       if (ldap_state->use_ntsid) {
-               if (get_single_attribute(ldap_state->ldap_struct, entry, "ntSid", temp)) {
+       /* deal with different attributes between the schema first */
+       
+       if ( ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT ) 
+       {
+               if (get_single_attribute(ldap_state->ldap_struct, entry, 
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID), temp)) 
+               {
                        pdb_set_user_sid_from_string(sampass, temp, PDB_SET);
                }
                        pdb_set_user_sid_from_string(sampass, temp, PDB_SET);
                }
-       } else {
-               if (get_single_attribute(ldap_state->ldap_struct, entry, "rid", temp)) {
+               
+               if (!get_single_attribute(ldap_state->ldap_struct, entry, 
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PRIMARY_GROUP_SID), temp)) 
+               {
+                       pdb_set_group_sid_from_string(sampass, temp, PDB_SET);                  
+               }
+               else 
+               {
+                       pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
+               }
+
+
+       } 
+       else 
+       {
+               if (get_single_attribute(ldap_state->ldap_struct, entry,
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID), temp)) 
+               {
                        user_rid = (uint32)atol(temp);
                        pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
                }
                        user_rid = (uint32)atol(temp);
                        pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
                }
+               
+               if (!get_single_attribute(ldap_state->ldap_struct, entry, 
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PRIMARY_GROUP_RID), temp)) 
+               {
+                       pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
+               } else {
+                       uint32 group_rid;
+                       group_rid = (uint32)atol(temp);
+                       pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
+               }
        }
 
        if (pdb_get_init_flags(sampass,PDB_USERSID) == PDB_DEFAULT) {
        }
 
        if (pdb_get_init_flags(sampass,PDB_USERSID) == PDB_DEFAULT) {
-               DEBUG(1, ("no rid or ntSid attribute found for this user %s\n", username));
+               DEBUG(1, ("no %s or %s attribute found for this user %s\n", 
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID),
+                       username));
                return False;
        }
 
                return False;
        }
 
-       if (!get_single_attribute(ldap_state->ldap_struct, entry, "primaryGroupID", temp)) {
-               pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
-       } else {
-               uint32 group_rid;
-               group_rid = (uint32)atol(temp);
-               pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
-       }
 
        /* 
         * If so configured, try and get the values from LDAP 
         */
 
 
        /* 
         * If so configured, try and get the values from LDAP 
         */
 
-       if (!lp_ldap_trust_ids() && (get_unix_attributes(ldap_state, sampass, entry, &gid))) {
-               
-               if (pdb_get_init_flags(sampass,PDB_GROUPSID) == PDB_DEFAULT) {
+       if (!lp_ldap_trust_ids() && (get_unix_attributes(ldap_state, sampass, entry, &gid))) 
+       {       
+               if (pdb_get_init_flags(sampass,PDB_GROUPSID) == PDB_DEFAULT) 
+               {
                        GROUP_MAP map;
                        /* call the mapping code here */
                        if(pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) {
                        GROUP_MAP map;
                        /* call the mapping code here */
                        if(pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) {
@@ -1694,42 +2013,54 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
                }
        }
 
                }
        }
 
-       if (!get_single_attribute(ldap_state->ldap_struct, entry, "pwdLastSet", temp)) {
+       if (!get_single_attribute(ldap_state->ldap_struct, entry, 
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET), temp)) 
+       {
                /* leave as default */
        } else {
                pass_last_set_time = (time_t) atol(temp);
                pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
        }
 
                /* leave as default */
        } else {
                pass_last_set_time = (time_t) atol(temp);
                pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
        }
 
-       if (!get_single_attribute(ldap_state->ldap_struct, entry, "logonTime", temp)) {
+       if (!get_single_attribute(ldap_state->ldap_struct, entry, 
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_TIME), temp)) 
+       {
                /* leave as default */
        } else {
                logon_time = (time_t) atol(temp);
                pdb_set_logon_time(sampass, logon_time, PDB_SET);
        }
 
                /* leave as default */
        } else {
                logon_time = (time_t) atol(temp);
                pdb_set_logon_time(sampass, logon_time, PDB_SET);
        }
 
-       if (!get_single_attribute(ldap_state->ldap_struct, entry, "logoffTime", temp)) {
+       if (!get_single_attribute(ldap_state->ldap_struct, entry, 
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGOFF_TIME), temp)) 
+       {
                /* leave as default */
        } else {
                logoff_time = (time_t) atol(temp);
                pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
        }
 
                /* leave as default */
        } else {
                logoff_time = (time_t) atol(temp);
                pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
        }
 
-       if (!get_single_attribute(ldap_state->ldap_struct, entry, "kickoffTime", temp)) {
+       if (!get_single_attribute(ldap_state->ldap_struct, entry, 
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp)) 
+       {
                /* leave as default */
        } else {
                kickoff_time = (time_t) atol(temp);
                pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
        }
 
                /* leave as default */
        } else {
                kickoff_time = (time_t) atol(temp);
                pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
        }
 
-       if (!get_single_attribute(ldap_state->ldap_struct, entry, "pwdCanChange", temp)) {
+       if (!get_single_attribute(ldap_state->ldap_struct, entry, 
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp)) 
+       {
                /* leave as default */
        } else {
                pass_can_change_time = (time_t) atol(temp);
                pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
        }
 
                /* leave as default */
        } else {
                pass_can_change_time = (time_t) atol(temp);
                pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
        }
 
-       if (!get_single_attribute(ldap_state->ldap_struct, entry, "pwdMustChange", temp)) {
+       if (!get_single_attribute(ldap_state->ldap_struct, entry, 
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_MUST_CHANGE), temp)) 
+       {       
                /* leave as default */
        } else {
                pass_must_change_time = (time_t) atol(temp);
                /* leave as default */
        } else {
                pass_must_change_time = (time_t) atol(temp);
@@ -1743,9 +2074,11 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
         */
 
        if (!get_single_attribute(ldap_state->ldap_struct, entry,
         */
 
        if (!get_single_attribute(ldap_state->ldap_struct, entry,
-                                 "displayName", fullname)) {
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME), fullname)) 
+       {
                if (!get_single_attribute(ldap_state->ldap_struct, entry,
                if (!get_single_attribute(ldap_state->ldap_struct, entry,
-                                         "cn", fullname)) {
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_CN), fullname)) 
+               {
                        /* leave as default */
                } else {
                        pdb_set_fullname(sampass, fullname, PDB_SET);
                        /* leave as default */
                } else {
                        pdb_set_fullname(sampass, fullname, PDB_SET);
@@ -1754,7 +2087,9 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
                pdb_set_fullname(sampass, fullname, PDB_SET);
        }
 
                pdb_set_fullname(sampass, fullname, PDB_SET);
        }
 
-       if (!get_single_attribute(ldap_state->ldap_struct, entry, "homeDrive", dir_drive)) {
+       if (!get_single_attribute(ldap_state->ldap_struct, entry, 
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE), dir_drive)) 
+       {
                pdb_set_dir_drive(sampass, talloc_sub_specified(sampass->mem_ctx, 
                                                                  lp_logon_drive(),
                                                                  username, domain, 
                pdb_set_dir_drive(sampass, talloc_sub_specified(sampass->mem_ctx, 
                                                                  lp_logon_drive(),
                                                                  username, domain, 
@@ -1764,7 +2099,9 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
                pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
        }
 
                pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
        }
 
-       if (!get_single_attribute(ldap_state->ldap_struct, entry, "smbHome", homedir)) {
+       if (!get_single_attribute(ldap_state->ldap_struct, entry,
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH), homedir)) 
+       {
                pdb_set_homedir(sampass, talloc_sub_specified(sampass->mem_ctx, 
                                                                  lp_logon_home(),
                                                                  username, domain, 
                pdb_set_homedir(sampass, talloc_sub_specified(sampass->mem_ctx, 
                                                                  lp_logon_home(),
                                                                  username, domain, 
@@ -1774,7 +2111,9 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
                pdb_set_homedir(sampass, homedir, PDB_SET);
        }
 
                pdb_set_homedir(sampass, homedir, PDB_SET);
        }
 
-       if (!get_single_attribute(ldap_state->ldap_struct, entry, "scriptPath", logon_script)) {
+       if (!get_single_attribute(ldap_state->ldap_struct, entry,
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT), logon_script)) 
+       {
                pdb_set_logon_script(sampass, talloc_sub_specified(sampass->mem_ctx, 
                                                                     lp_logon_script(),
                                                                     username, domain, 
                pdb_set_logon_script(sampass, talloc_sub_specified(sampass->mem_ctx, 
                                                                     lp_logon_script(),
                                                                     username, domain, 
@@ -1784,7 +2123,9 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
                pdb_set_logon_script(sampass, logon_script, PDB_SET);
        }
 
                pdb_set_logon_script(sampass, logon_script, PDB_SET);
        }
 
-       if (!get_single_attribute(ldap_state->ldap_struct, entry, "profilePath", profile_path)) {
+       if (!get_single_attribute(ldap_state->ldap_struct, entry,
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH), profile_path)) 
+       {
                pdb_set_profile_path(sampass, talloc_sub_specified(sampass->mem_ctx, 
                                                                     lp_logon_path(),
                                                                     username, domain, 
                pdb_set_profile_path(sampass, talloc_sub_specified(sampass->mem_ctx, 
                                                                     lp_logon_path(),
                                                                     username, domain, 
@@ -1794,13 +2135,17 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
                pdb_set_profile_path(sampass, profile_path, PDB_SET);
        }
 
                pdb_set_profile_path(sampass, profile_path, PDB_SET);
        }
 
-       if (!get_single_attribute(ldap_state->ldap_struct, entry, "description", acct_desc)) {
+       if (!get_single_attribute(ldap_state->ldap_struct, entry, 
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC), acct_desc)) 
+       {
                /* leave as default */
        } else {
                pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
        }
 
                /* leave as default */
        } else {
                pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
        }
 
-       if (!get_single_attribute(ldap_state->ldap_struct, entry, "userWorkstations", workstations)) {
+       if (!get_single_attribute(ldap_state->ldap_struct, entry, 
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS), workstations)) 
+       {
                /* leave as default */;
        } else {
                pdb_set_workstations(sampass, workstations, PDB_SET);
                /* leave as default */;
        } else {
                pdb_set_workstations(sampass, workstations, PDB_SET);
@@ -1812,7 +2157,9 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
        hours_len = 21;
        memset(hours, 0xff, hours_len);
 
        hours_len = 21;
        memset(hours, 0xff, hours_len);
 
-       if (!get_single_attribute (ldap_state->ldap_struct, entry, "lmPassword", temp)) {
+       if (!get_single_attribute (ldap_state->ldap_struct, entry, 
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW), temp)) 
+       {
                /* leave as default */
        } else {
                pdb_gethexpwd(temp, smblmpwd);
                /* leave as default */
        } else {
                pdb_gethexpwd(temp, smblmpwd);
@@ -1822,7 +2169,9 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
                ZERO_STRUCT(smblmpwd);
        }
 
                ZERO_STRUCT(smblmpwd);
        }
 
-       if (!get_single_attribute (ldap_state->ldap_struct, entry, "ntPassword", temp)) {
+       if (!get_single_attribute (ldap_state->ldap_struct, entry,
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW), temp)) 
+       {
                /* leave as default */
        } else {
                pdb_gethexpwd(temp, smbntpwd);
                /* leave as default */
        } else {
                pdb_gethexpwd(temp, smbntpwd);
@@ -1832,7 +2181,9 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
                ZERO_STRUCT(smbntpwd);
        }
 
                ZERO_STRUCT(smbntpwd);
        }
 
-       if (!get_single_attribute (ldap_state->ldap_struct, entry, "acctFlags", temp)) {
+       if (!get_single_attribute (ldap_state->ldap_struct, entry,
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO), temp)) 
+       {
                acct_ctrl |= ACB_NORMAL;
        } else {
                acct_ctrl = pdb_decode_acct_ctrl(temp);
                acct_ctrl |= ACB_NORMAL;
        } else {
                acct_ctrl = pdb_decode_acct_ctrl(temp);
@@ -1905,7 +2256,8 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
                }
 
                /* now that we have figured out the RID, always store it, as
                }
 
                /* now that we have figured out the RID, always store it, as
-                  the schema requires it */
+                  the schema requires it (either as a SID or a RID) */
+                  
                if (!pdb_set_user_sid_from_rid(sampass, rid, PDB_CHANGED)) {
                        DEBUG(0, ("Could not store RID back onto SAM_ACCOUNT for user %s!\n", 
                                  pdb_get_username(sampass)));
                if (!pdb_set_user_sid_from_rid(sampass, rid, PDB_CHANGED)) {
                        DEBUG(0, ("Could not store RID back onto SAM_ACCOUNT for user %s!\n", 
                                  pdb_get_username(sampass)));
@@ -1915,37 +2267,69 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
        }
 
        /* only update the RID if we actually need to */
        }
 
        /* only update the RID if we actually need to */
-       if (need_update(sampass, PDB_USERSID)) {
+       if (need_update(sampass, PDB_USERSID)) 
+       {
                fstring sid_string;
                fstring dom_sid_string;
                const DOM_SID *user_sid;
                user_sid = pdb_get_user_sid(sampass);
                
                fstring sid_string;
                fstring dom_sid_string;
                const DOM_SID *user_sid;
                user_sid = pdb_get_user_sid(sampass);
                
-               if (ldap_state->use_ntsid) {
-                       make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                                     "ntSid", sid_to_string(sid_string, user_sid));
-               } else {
-                       if (!sid_peek_check_rid(get_global_sam_sid(), user_sid, &rid)) {
-                               DEBUG(1, ("User's SID (%s) is not for this domain (%s), cannot add to LDAP!\n", sid_to_string(sid_string, user_sid), sid_to_string(dom_sid_string, get_global_sam_sid())));
-                               return False;
-                       }
-                       slprintf(temp, sizeof(temp) - 1, "%i", rid);
-                       make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                                     "rid", temp);
-               }
-               
+               switch ( ldap_state->schema_ver )
+               {
+                       case SCHEMAVER_SAMBAACCOUNT:
+                               if (!sid_peek_check_rid(get_global_sam_sid(), user_sid, &rid)) {
+                                       DEBUG(1, ("User's SID (%s) is not for this domain (%s), cannot add to LDAP!\n", sid_to_string(sid_string, user_sid), sid_to_string(dom_sid_string, get_global_sam_sid())));
+                                       return False;
+                               }
+                               slprintf(temp, sizeof(temp) - 1, "%i", rid);
+                               make_ldap_mod(ldap_state->ldap_struct, existing, mods,
+                                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID), 
+                                       temp);
+                               break;
+                               
+                       case SCHEMAVER_SAMBASAMACCOUNT:
+                               make_ldap_mod(ldap_state->ldap_struct, existing, mods,
+                                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID), 
+                                       sid_to_string(sid_string, user_sid));                                 
+                               break;
+                               
+                       default:
+                               DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
+                               break;
+               }               
        }
 
        /* we don't need to store the primary group RID - so leaving it
           'free' to hang off the unix primary group makes life easier */
 
        }
 
        /* we don't need to store the primary group RID - so leaving it
           'free' to hang off the unix primary group makes life easier */
 
-       if (need_update(sampass, PDB_GROUPSID)) {
-               rid = pdb_get_group_rid(sampass);
-               slprintf(temp, sizeof(temp) - 1, "%i", rid);
-               make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                             "primaryGroupID", temp);
+       if (need_update(sampass, PDB_GROUPSID)) 
+       {
+               switch ( ldap_state->schema_ver )
+               {
+                       case SCHEMAVER_SAMBAACCOUNT:
+                               rid = pdb_get_group_rid(sampass);
+                               slprintf(temp, sizeof(temp) - 1, "%i", rid);
+                               make_ldap_mod(ldap_state->ldap_struct, existing, mods,
+                                             get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PRIMARY_GROUP_RID), 
+                                             temp);
+                               break;
+                               
+                       case SCHEMAVER_SAMBASAMACCOUNT:
+                               rid = pdb_get_group_rid(sampass);
+                               slprintf(temp, sizeof(temp) - 1, "%s-%i", 
+                                       sid_string_static(get_global_sam_sid()), rid);
+                               make_ldap_mod(ldap_state->ldap_struct, existing, mods,
+                                             get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PRIMARY_GROUP_SID), 
+                                             temp);
+                               break;
+                               
+                       default:
+                               DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
+                               break;
+               }
+               
        }
        }
-
+       
        /* displayName, cn, and gecos should all be the same
         *  most easily accomplished by giving them the same OID
         *  gecos isn't set here b/c it should be handled by the 
        /* displayName, cn, and gecos should all be the same
         *  most easily accomplished by giving them the same OID
         *  gecos isn't set here b/c it should be handled by the 
@@ -1956,97 +2340,97 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
 
        if (need_update(sampass, PDB_FULLNAME))
                make_ldap_mod(ldap_state->ldap_struct, existing, mods,
 
        if (need_update(sampass, PDB_FULLNAME))
                make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                             "displayName", pdb_get_fullname(sampass));
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME), 
+                       pdb_get_fullname(sampass));
 
        if (need_update(sampass, PDB_ACCTDESC))
                make_ldap_mod(ldap_state->ldap_struct, existing, mods,
 
        if (need_update(sampass, PDB_ACCTDESC))
                make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                             "description", pdb_get_acct_desc(sampass));
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC), 
+                       pdb_get_acct_desc(sampass));
 
        if (need_update(sampass, PDB_WORKSTATIONS))
                make_ldap_mod(ldap_state->ldap_struct, existing, mods,
 
        if (need_update(sampass, PDB_WORKSTATIONS))
                make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                             "userWorkstations", pdb_get_workstations(sampass));
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS), 
+                       pdb_get_workstations(sampass));
 
        if (need_update(sampass, PDB_SMBHOME))
                make_ldap_mod(ldap_state->ldap_struct, existing, mods,
 
        if (need_update(sampass, PDB_SMBHOME))
                make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                             "smbHome", pdb_get_homedir(sampass));
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH), 
+                       pdb_get_homedir(sampass));
                        
        if (need_update(sampass, PDB_DRIVE))
                make_ldap_mod(ldap_state->ldap_struct, existing, mods,
                        
        if (need_update(sampass, PDB_DRIVE))
                make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                             "homeDrive", pdb_get_dir_drive(sampass));
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE), 
+                       pdb_get_dir_drive(sampass));
 
        if (need_update(sampass, PDB_LOGONSCRIPT))
                make_ldap_mod(ldap_state->ldap_struct, existing, mods,
 
        if (need_update(sampass, PDB_LOGONSCRIPT))
                make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                             "scriptPath", pdb_get_logon_script(sampass));
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT), 
+                       pdb_get_logon_script(sampass));
 
        if (need_update(sampass, PDB_PROFILE))
                make_ldap_mod(ldap_state->ldap_struct, existing, mods,
 
        if (need_update(sampass, PDB_PROFILE))
                make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                             "profilePath", pdb_get_profile_path(sampass));
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH), 
+                       pdb_get_profile_path(sampass));
 
        slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logon_time(sampass));
 
        slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logon_time(sampass));
-
        if (need_update(sampass, PDB_LOGONTIME))
                make_ldap_mod(ldap_state->ldap_struct, existing, mods,
        if (need_update(sampass, PDB_LOGONTIME))
                make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                             "logonTime", temp);
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_TIME), temp);
 
        slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logoff_time(sampass));
 
        slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logoff_time(sampass));
-
        if (need_update(sampass, PDB_LOGOFFTIME))
                make_ldap_mod(ldap_state->ldap_struct, existing, mods,
        if (need_update(sampass, PDB_LOGOFFTIME))
                make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                             "logoffTime", temp);
-
-       slprintf (temp, sizeof (temp) - 1, "%li",
-                 pdb_get_kickoff_time(sampass));
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGOFF_TIME), temp);
 
 
+       slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_kickoff_time(sampass));
        if (need_update(sampass, PDB_KICKOFFTIME))
                make_ldap_mod(ldap_state->ldap_struct, existing, mods,
        if (need_update(sampass, PDB_KICKOFFTIME))
                make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                             "kickoffTime", temp);
-
-       slprintf (temp, sizeof (temp) - 1, "%li",
-                 pdb_get_pass_can_change_time(sampass));
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp);
 
 
+       slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_can_change_time(sampass));
        if (need_update(sampass, PDB_CANCHANGETIME))
                make_ldap_mod(ldap_state->ldap_struct, existing, mods,
        if (need_update(sampass, PDB_CANCHANGETIME))
                make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                             "pwdCanChange", temp);
-
-       slprintf (temp, sizeof (temp) - 1, "%li",
-                 pdb_get_pass_must_change_time(sampass));
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp);
 
 
+       slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_must_change_time(sampass));
        if (need_update(sampass, PDB_MUSTCHANGETIME))
                make_ldap_mod(ldap_state->ldap_struct, existing, mods,
        if (need_update(sampass, PDB_MUSTCHANGETIME))
                make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                             "pwdMustChange", temp);
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_MUST_CHANGE), temp);
 
 
-       if ((pdb_get_acct_ctrl(sampass)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST))||
-           (lp_ldap_passwd_sync()!=LDAP_PASSWD_SYNC_ONLY)) {
+       if ((pdb_get_acct_ctrl(sampass)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST))
+               || (lp_ldap_passwd_sync()!=LDAP_PASSWD_SYNC_ONLY)) 
+       {
 
 
-               pdb_sethexpwd (temp, pdb_get_lanman_passwd(sampass),
+               pdb_sethexpwd(temp, pdb_get_lanman_passwd(sampass),
                               pdb_get_acct_ctrl(sampass));
 
                if (need_update(sampass, PDB_LMPASSWD))
                        make_ldap_mod(ldap_state->ldap_struct, existing, mods,
                               pdb_get_acct_ctrl(sampass));
 
                if (need_update(sampass, PDB_LMPASSWD))
                        make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                                     "lmPassword", temp);
+                               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW), 
+                               temp);
 
                pdb_sethexpwd (temp, pdb_get_nt_passwd(sampass),
                               pdb_get_acct_ctrl(sampass));
 
                if (need_update(sampass, PDB_NTPASSWD))
                        make_ldap_mod(ldap_state->ldap_struct, existing, mods,
 
                pdb_sethexpwd (temp, pdb_get_nt_passwd(sampass),
                               pdb_get_acct_ctrl(sampass));
 
                if (need_update(sampass, PDB_NTPASSWD))
                        make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                                     "ntPassword", temp);
-
-               slprintf (temp, sizeof (temp) - 1, "%li",
-                         pdb_get_pass_last_set_time(sampass));
+                               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW), 
+                               temp);
 
 
+               slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_last_set_time(sampass));
                if (need_update(sampass, PDB_PASSLASTSET))
                        make_ldap_mod(ldap_state->ldap_struct, existing, mods,
                if (need_update(sampass, PDB_PASSLASTSET))
                        make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                                     "pwdLastSet", temp);
+                               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET), 
+                               temp);
        }
 
        /* FIXME: Hours stuff goes in LDAP  */
 
        if (need_update(sampass, PDB_ACCTCTRL))
                make_ldap_mod(ldap_state->ldap_struct, existing, mods,
        }
 
        /* FIXME: Hours stuff goes in LDAP  */
 
        if (need_update(sampass, PDB_ACCTCTRL))
                make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                             "acctFlags",
-                             pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass),
-                                                   NEW_PW_FORMAT_SPACE_PADDED_LEN));
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO), 
+                       pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass), NEW_PW_FORMAT_SPACE_PADDED_LEN));
 
        return True;
 }
 
        return True;
 }
@@ -2061,13 +2445,15 @@ static NTSTATUS ldapsam_setsampwent(struct pdb_methods *my_methods, BOOL update)
        struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
        int rc;
        pstring filter;
        struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
        int rc;
        pstring filter;
+       char **attr_list;
 
 
-       pstrcpy(filter, lp_ldap_filter());
+       snprintf( filter, sizeof(filter)-1, "(&%s%s)", lp_ldap_filter(), 
+               get_objclass_filter(ldap_state->schema_ver));
        all_string_sub(filter, "%u", "*", sizeof(pstring));
 
        all_string_sub(filter, "%u", "*", sizeof(pstring));
 
-       rc = ldapsam_search_suffix(ldap_state, 
-                                  filter, attr,
-                                  &ldap_state->result);
+       attr_list = get_userattr_list(ldap_state->schema_ver);
+       rc = ldapsam_search_suffix(ldap_state, filter, attr_list, &ldap_state->result);
+       free_attr_list( attr_list );
 
        if (rc != LDAP_SUCCESS) {
                DEBUG(0, ("LDAP search failed: %s\n", ldap_err2string(rc)));
 
        if (rc != LDAP_SUCCESS) {
                DEBUG(0, ("LDAP search failed: %s\n", ldap_err2string(rc)));
@@ -2137,16 +2523,21 @@ static NTSTATUS ldapsam_getsampwnam(struct pdb_methods *my_methods, SAM_ACCOUNT
        LDAPMessage *result;
        LDAPMessage *entry;
        int count;
        LDAPMessage *result;
        LDAPMessage *entry;
        int count;
+       char ** attr_list;
+       int rc;
        
        
-       if (ldapsam_search_suffix_by_name(ldap_state, sname, &result) != LDAP_SUCCESS) {
+       attr_list = get_userattr_list( ldap_state->schema_ver );
+       rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list);
+       free_attr_list( attr_list );
+
+       if ( rc != LDAP_SUCCESS ) 
                return NT_STATUS_NO_SUCH_USER;
                return NT_STATUS_NO_SUCH_USER;
-       }
        
        count = ldap_count_entries(ldap_state->ldap_struct, result);
        
        if (count < 1) {
                DEBUG(4,
        
        count = ldap_count_entries(ldap_state->ldap_struct, result);
        
        if (count < 1) {
                DEBUG(4,
-                     ("We don't find this user [%s] count=%d\n", sname,
+                     ("Unable to locate user [%s] count=%d\n", sname,
                       count));
                return NT_STATUS_NO_SUCH_USER;
        } else if (count > 1) {
                       count));
                return NT_STATUS_NO_SUCH_USER;
        } else if (count > 1) {
@@ -2177,36 +2568,53 @@ Get SAM_ACCOUNT entry from LDAP by SID
 static NTSTATUS ldapsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, const DOM_SID *sid)
 {
        NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
 static NTSTATUS ldapsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, const DOM_SID *sid)
 {
        NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
-       struct ldapsam_privates *ldap_state = 
-               (struct ldapsam_privates *)my_methods->private_data;
+       struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
        LDAPMessage *result;
        LDAPMessage *entry;
        fstring sid_string;
        int count;
        LDAPMessage *result;
        LDAPMessage *entry;
        fstring sid_string;
        int count;
+       int rc;
+       char ** attr_list;
        
        
-       if (ldap_state->use_ntsid) {
-               if (ldapsam_search_suffix_by_sid(ldap_state, sid, &result) != LDAP_SUCCESS) {
-                       return NT_STATUS_NO_SUCH_USER;
-               }
-       } else {
-               uint32 rid;
-               if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) {
-                       return NT_STATUS_NO_SUCH_USER;
-               }
+       switch ( ldap_state->schema_ver )
+       {
+               case SCHEMAVER_SAMBASAMACCOUNT:
+                       attr_list = get_userattr_list(ldap_state->schema_ver);
+                       rc = ldapsam_search_suffix_by_sid(ldap_state, sid, &result, attr_list);
+                       free_attr_list( attr_list );
+
+                       if ( rc != LDAP_SUCCESS ) 
+                               return NT_STATUS_NO_SUCH_USER;
+                       break;
+                       
+               case SCHEMAVER_SAMBAACCOUNT:
+               {
+                       uint32 rid;
+                       if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) {
+                               return NT_STATUS_NO_SUCH_USER;
+                       }
                
                
-               if (ldapsam_search_suffix_by_rid(ldap_state, rid, &result) != LDAP_SUCCESS) {
-                       return NT_STATUS_NO_SUCH_USER;
+                       attr_list = get_userattr_list(ldap_state->schema_ver);
+                       rc = ldapsam_search_suffix_by_rid(ldap_state, rid, &result, attr_list );
+                       free_attr_list( attr_list );
+
+                       if ( rc != LDAP_SUCCESS ) 
+                               return NT_STATUS_NO_SUCH_USER;
                }
                }
+               break;
        }
        
        count = ldap_count_entries(ldap_state->ldap_struct, result);
        
        }
        
        count = ldap_count_entries(ldap_state->ldap_struct, result);
        
-       if (count < 1) {
+       if (count < 1) 
+       {
                DEBUG(4,
                DEBUG(4,
-                     ("We don't find this SID [%s] count=%d\n", sid_to_string(sid_string, sid),
+                     ("Unable to locate SID [%s] count=%d\n", sid_to_string(sid_string, sid),
                       count));
                return NT_STATUS_NO_SUCH_USER;
                       count));
                return NT_STATUS_NO_SUCH_USER;
-       } else if (count > 1) {
+       }  
+       else if (count > 1) 
+       {
                DEBUG(1,
                      ("More than one user with SID [%s]. Failing. count=%d\n", sid_to_string(sid_string, sid),
                       count));
                DEBUG(1,
                      ("More than one user with SID [%s]. Failing. count=%d\n", sid_to_string(sid_string, sid),
                       count));
@@ -2214,7 +2622,8 @@ static NTSTATUS ldapsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT
        }
 
        entry = ldap_first_entry(ldap_state->ldap_struct, result);
        }
 
        entry = ldap_first_entry(ldap_state->ldap_struct, result);
-       if (entry) {
+       if (entry) 
+       {
                if (!init_sam_from_ldap(ldap_state, user, entry)) {
                        DEBUG(1,("ldapsam_getsampwrid: init_sam_from_ldap failed!\n"));
                        ldap_msgfree(result);
                if (!init_sam_from_ldap(ldap_state, user, entry)) {
                        DEBUG(1,("ldapsam_getsampwrid: init_sam_from_ldap failed!\n"));
                        ldap_msgfree(result);
@@ -2253,7 +2662,7 @@ static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods,
                switch(ldap_op)
                {
                        case LDAP_MOD_ADD: 
                switch(ldap_op)
                {
                        case LDAP_MOD_ADD: 
-                               make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", "account");
+                               make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_ACCOUNT);
                                rc = ldapsam_add(ldap_state, dn, mods);
                                break;
                        case LDAP_MOD_REPLACE: 
                                rc = ldapsam_add(ldap_state, dn, mods);
                                break;
                        case LDAP_MOD_REPLACE: 
@@ -2351,11 +2760,8 @@ static NTSTATUS ldapsam_delete_sam_account(struct pdb_methods *my_methods, SAM_A
        int rc;
        LDAPMessage *result;
        NTSTATUS ret;
        int rc;
        LDAPMessage *result;
        NTSTATUS ret;
-       const char *sam_user_attrs[] =
-       { "lmPassword", "ntPassword", "pwdLastSet", "logonTime", "logoffTime",
-         "kickoffTime", "pwdCanChange", "pwdMustChange", "acctFlags",
-         "displayName", "smbHome", "homeDrive", "scriptPath", "profilePath",
-         "userWorkstations", "primaryGroupID", "domain", "rid", "ntSid", NULL };
+       char **attr_list;
+       fstring objclass;
 
        if (!sam_acct) {
                DEBUG(0, ("sam_acct was NULL!\n"));
 
        if (!sam_acct) {
                DEBUG(0, ("sam_acct was NULL!\n"));
@@ -2366,14 +2772,33 @@ static NTSTATUS ldapsam_delete_sam_account(struct pdb_methods *my_methods, SAM_A
 
        DEBUG (3, ("Deleting user %s from LDAP.\n", sname));
 
 
        DEBUG (3, ("Deleting user %s from LDAP.\n", sname));
 
-       rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result);
-       if (rc != LDAP_SUCCESS) {
+       attr_list= get_userattr_list( ldap_state->schema_ver );
+       rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list);
+
+       if (rc != LDAP_SUCCESS)  {
+               free_attr_list( attr_list );
                return NT_STATUS_NO_SUCH_USER;
        }
                return NT_STATUS_NO_SUCH_USER;
        }
+       
+       switch ( ldap_state->schema_ver )
+       {
+               case SCHEMAVER_SAMBASAMACCOUNT:
+                       fstrcpy( objclass, LDAP_OBJ_SAMBASAMACCOUNT );
+                       break;
+                       
+               case SCHEMAVER_SAMBAACCOUNT:
+                       fstrcpy( objclass, LDAP_OBJ_SAMBAACCOUNT );
+                       break;
+               default:
+                       fstrcpy( objclass, "UNKNOWN" );
+                       DEBUG(0,("ldapsam_delete_sam_account: Unknown schema version specified!\n"));
+                               break;
+       }
 
 
-       ret = ldapsam_delete_entry(ldap_state, result, "sambaAccount",
-                                  sam_user_attrs);
+       ret = ldapsam_delete_entry(ldap_state, result, objclass, attr_list );
        ldap_msgfree(result);
        ldap_msgfree(result);
+       free_attr_list( attr_list );
+
        return ret;
 }
 
        return ret;
 }
 
@@ -2399,11 +2824,13 @@ static NTSTATUS ldapsam_update_sam_account(struct pdb_methods *my_methods, SAM_A
        LDAPMessage *result;
        LDAPMessage *entry;
        LDAPMod **mods;
        LDAPMessage *result;
        LDAPMessage *entry;
        LDAPMod **mods;
+       char **attr_list;
 
 
-       rc = ldapsam_search_suffix_by_name(ldap_state, pdb_get_username(newpwd), &result);
-       if (rc != LDAP_SUCCESS) {
+       attr_list = get_userattr_list(ldap_state->schema_ver);
+       rc = ldapsam_search_suffix_by_name(ldap_state, pdb_get_username(newpwd), &result, attr_list );
+       free_attr_list( attr_list );
+       if (rc != LDAP_SUCCESS) 
                return NT_STATUS_UNSUCCESSFUL;
                return NT_STATUS_UNSUCCESSFUL;
-       }
 
        if (ldap_count_entries(ldap_state->ldap_struct, result) == 0) {
                DEBUG(0, ("No user to modify!\n"));
 
        if (ldap_count_entries(ldap_state->ldap_struct, result) == 0) {
                DEBUG(0, ("No user to modify!\n"));
@@ -2451,7 +2878,7 @@ static NTSTATUS ldapsam_update_sam_account(struct pdb_methods *my_methods, SAM_A
 /**********************************************************************
   Helper function to determine for update_sam_account whether
   we need LDAP modification.
 /**********************************************************************
   Helper function to determine for update_sam_account whether
   we need LDAP modification.
-*********************************************************************/
+ *********************************************************************/
 static BOOL element_is_set_or_changed(const SAM_ACCOUNT *sampass,
                                      enum pdb_elements element)
 {
 static BOOL element_is_set_or_changed(const SAM_ACCOUNT *sampass,
                                      enum pdb_elements element)
 {
@@ -2462,43 +2889,60 @@ static BOOL element_is_set_or_changed(const SAM_ACCOUNT *sampass,
 /**********************************************************************
 Add SAM_ACCOUNT to LDAP 
 *********************************************************************/
 /**********************************************************************
 Add SAM_ACCOUNT to LDAP 
 *********************************************************************/
+
 static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * newpwd)
 {
        NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
        struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
        int rc;
 static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * newpwd)
 {
        NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
        struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
        int rc;
-       pstring filter;
-       LDAPMessage *result = NULL;
-       LDAPMessage *entry  = NULL;
-       pstring dn;
-       LDAPMod **mods = NULL;
+       LDAPMessage     *result = NULL;
+       LDAPMessage     *entry  = NULL;
+       pstring         dn;
+       LDAPMod         **mods = NULL;
        int             ldap_op;
        uint32          num_result;
        int             ldap_op;
        uint32          num_result;
-       
-       const char *username = pdb_get_username(newpwd);
+       char            **attr_list;
+       char            *escape_user;
+       const char      *username = pdb_get_username(newpwd);
+       pstring         filter;
+
        if (!username || !*username) {
                DEBUG(0, ("Cannot add user without a username!\n"));
                return NT_STATUS_INVALID_PARAMETER;
        }
 
        if (!username || !*username) {
                DEBUG(0, ("Cannot add user without a username!\n"));
                return NT_STATUS_INVALID_PARAMETER;
        }
 
-       rc = ldapsam_search_suffix_by_name (ldap_state, username, &result);
+       /* free this list after the second search or in case we exit on failure */
+       
+       attr_list = get_userattr_list(ldap_state->schema_ver);
+       rc = ldapsam_search_suffix_by_name (ldap_state, username, &result, attr_list);
+
        if (rc != LDAP_SUCCESS) {
        if (rc != LDAP_SUCCESS) {
+               free_attr_list( attr_list );
                return NT_STATUS_UNSUCCESSFUL;
        }
 
        if (ldap_count_entries(ldap_state->ldap_struct, result) != 0) {
                return NT_STATUS_UNSUCCESSFUL;
        }
 
        if (ldap_count_entries(ldap_state->ldap_struct, result) != 0) {
-               DEBUG(0,("User '%s' already in the base, with samba properties\n", 
+               DEBUG(0,("User '%s' already in the base, with samba attributes\n", 
                         username));
                ldap_msgfree(result);
                         username));
                ldap_msgfree(result);
+               free_attr_list( attr_list );
                return NT_STATUS_UNSUCCESSFUL;
        }
        ldap_msgfree(result);
 
                return NT_STATUS_UNSUCCESSFUL;
        }
        ldap_msgfree(result);
 
-       slprintf (filter, sizeof (filter) - 1, "uid=%s", username);
-       rc = ldapsam_search_suffix(ldap_state, filter, attr, &result);
-       if (rc != LDAP_SUCCESS) {
+       /* does the entry already exist but without a samba rttibutes?
+          we don't really care what attributes are returned here */
+          
+       escape_user = escape_ldap_string_alloc( username );
+       pstrcpy( filter, lp_ldap_filter() );
+       all_string_sub( filter, "%u", escape_user, sizeof(filter) );
+       SAFE_FREE( escape_user );
+
+       rc = ldapsam_search_suffix(ldap_state, filter, attr_list, &result);
+       free_attr_list( attr_list );
+
+       if ( rc != LDAP_SUCCESS )
                return NT_STATUS_UNSUCCESSFUL;
                return NT_STATUS_UNSUCCESSFUL;
-       }
 
        num_result = ldap_count_entries(ldap_state->ldap_struct, result);
        
 
        num_result = ldap_count_entries(ldap_state->ldap_struct, result);
        
@@ -2512,7 +2956,7 @@ static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, SAM_ACCO
        if (num_result == 1) {
                char *tmp;
                
        if (num_result == 1) {
                char *tmp;
                
-               DEBUG(3,("User exists without samba properties: adding them\n"));
+               DEBUG(3,("User exists without samba attributes: adding them\n"));
                ldap_op = LDAP_MOD_REPLACE;
                entry = ldap_first_entry (ldap_state->ldap_struct, result);
                tmp = ldap_get_dn (ldap_state->ldap_struct, entry);
                ldap_op = LDAP_MOD_REPLACE;
                entry = ldap_first_entry (ldap_state->ldap_struct, result);
                tmp = ldap_get_dn (ldap_state->ldap_struct, entry);
@@ -2542,8 +2986,18 @@ static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, SAM_ACCO
                DEBUG(0,("mods is empty: nothing to add for user: %s\n",pdb_get_username(newpwd)));
                return NT_STATUS_UNSUCCESSFUL;
        }
                DEBUG(0,("mods is empty: nothing to add for user: %s\n",pdb_get_username(newpwd)));
                return NT_STATUS_UNSUCCESSFUL;
        }
-       
-       make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", "sambaAccount");
+       switch ( ldap_state->schema_ver )
+       {
+               case SCHEMAVER_SAMBAACCOUNT:
+                       make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBAACCOUNT);
+                       break;
+               case SCHEMAVER_SAMBASAMACCOUNT:
+                       make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBASAMACCOUNT);
+                       break;
+               default:
+                       DEBUG(0,("ldapsam_add_sam_account: invalid schema version specified\n"));
+                       break;
+       }
 
        ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,ldap_op, element_is_set_or_changed);
        if (NT_STATUS_IS_ERR(ret)) {
 
        ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,ldap_op, element_is_set_or_changed);
        if (NT_STATUS_IS_ERR(ret)) {
@@ -2553,11 +3007,16 @@ static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, SAM_ACCO
                return ret;
        }
 
                return ret;
        }
 
-       DEBUG(2,("added: uid = %s in the LDAP database\n", pdb_get_username(newpwd)));
+       DEBUG(2,("added: uid == %s in the LDAP database\n", pdb_get_username(newpwd)));
        ldap_mods_free(mods, 1);
        ldap_mods_free(mods, 1);
+       
        return NT_STATUS_OK;
 }
 
        return NT_STATUS_OK;
 }
 
+/**********************************************************************
+ Housekeeping
+ *********************************************************************/
+
 static void free_private_data(void **vp) 
 {
        struct ldapsam_privates **ldap_state = (struct ldapsam_privates **)vp;
 static void free_private_data(void **vp) 
 {
        struct ldapsam_privates **ldap_state = (struct ldapsam_privates **)vp;
@@ -2578,22 +3037,24 @@ static void free_private_data(void **vp)
        /* No need to free any further, as it is talloc()ed */
 }
 
        /* No need to free any further, as it is talloc()ed */
 }
 
-static const char *group_attr[] = {"cn", "ntSid", "ntGroupType",
-                                  "gidNumber",
-                                  "displayName", "description",
-                                  NULL };
-                                  
+/**********************************************************************
+ *********************************************************************/
+
 static int ldapsam_search_one_group (struct ldapsam_privates *ldap_state,
                                     const char *filter,
                                     LDAPMessage ** result)
 {
        int scope = LDAP_SCOPE_SUBTREE;
        int rc;
 static int ldapsam_search_one_group (struct ldapsam_privates *ldap_state,
                                     const char *filter,
                                     LDAPMessage ** result)
 {
        int scope = LDAP_SCOPE_SUBTREE;
        int rc;
+       char **attr_list;
 
        DEBUG(2, ("ldapsam_search_one_group: searching for:[%s]\n", filter));
 
 
        DEBUG(2, ("ldapsam_search_one_group: searching for:[%s]\n", filter));
 
+
+       attr_list = get_attr_list(groupmap_attr_list);
        rc = ldapsam_search(ldap_state, lp_ldap_suffix (), scope,
        rc = ldapsam_search(ldap_state, lp_ldap_suffix (), scope,
-                           filter, group_attr, 0, result);
+                           filter, attr_list, 0, result);
+       free_attr_list( attr_list );
 
        if (rc != LDAP_SUCCESS) {
                char *ld_error = NULL;
 
        if (rc != LDAP_SUCCESS) {
                char *ld_error = NULL;
@@ -2610,6 +3071,9 @@ static int ldapsam_search_one_group (struct ldapsam_privates *ldap_state,
        return rc;
 }
 
        return rc;
 }
 
+/**********************************************************************
+ *********************************************************************/
+
 static BOOL init_group_from_ldap(struct ldapsam_privates *ldap_state,
                                 GROUP_MAP *map, LDAPMessage *entry)
 {
 static BOOL init_group_from_ldap(struct ldapsam_privates *ldap_state,
                                 GROUP_MAP *map, LDAPMessage *entry)
 {
@@ -2676,6 +3140,9 @@ static BOOL init_group_from_ldap(struct ldapsam_privates *ldap_state,
        return True;
 }
 
        return True;
 }
 
+/**********************************************************************
+ *********************************************************************/
+
 static BOOL init_ldap_from_group(LDAP *ldap_struct,
                                 LDAPMessage *existing,
                                 LDAPMod ***mods,
 static BOOL init_ldap_from_group(LDAP *ldap_struct,
                                 LDAPMessage *existing,
                                 LDAPMod ***mods,
@@ -2701,6 +3168,9 @@ static BOOL init_ldap_from_group(LDAP *ldap_struct,
        return True;
 }
 
        return True;
 }
 
+/**********************************************************************
+ *********************************************************************/
+
 static NTSTATUS ldapsam_getgroup(struct pdb_methods *methods,
                                 const char *filter,
                                 GROUP_MAP *map)
 static NTSTATUS ldapsam_getgroup(struct pdb_methods *methods,
                                 const char *filter,
                                 GROUP_MAP *map)
@@ -2747,6 +3217,9 @@ static NTSTATUS ldapsam_getgroup(struct pdb_methods *methods,
        return NT_STATUS_OK;
 }
 
        return NT_STATUS_OK;
 }
 
+/**********************************************************************
+ *********************************************************************/
+
 static NTSTATUS ldapsam_getgrsid(struct pdb_methods *methods, GROUP_MAP *map,
                                 DOM_SID sid, BOOL with_priv)
 {
 static NTSTATUS ldapsam_getgrsid(struct pdb_methods *methods, GROUP_MAP *map,
                                 DOM_SID sid, BOOL with_priv)
 {
@@ -2759,6 +3232,9 @@ static NTSTATUS ldapsam_getgrsid(struct pdb_methods *methods, GROUP_MAP *map,
        return ldapsam_getgroup(methods, filter, map);
 }
 
        return ldapsam_getgroup(methods, filter, map);
 }
 
+/**********************************************************************
+ *********************************************************************/
+
 static NTSTATUS ldapsam_getgrgid(struct pdb_methods *methods, GROUP_MAP *map,
                                 gid_t gid, BOOL with_priv)
 {
 static NTSTATUS ldapsam_getgrgid(struct pdb_methods *methods, GROUP_MAP *map,
                                 gid_t gid, BOOL with_priv)
 {
@@ -2771,6 +3247,9 @@ static NTSTATUS ldapsam_getgrgid(struct pdb_methods *methods, GROUP_MAP *map,
        return ldapsam_getgroup(methods, filter, map);
 }
 
        return ldapsam_getgroup(methods, filter, map);
 }
 
+/**********************************************************************
+ *********************************************************************/
+
 static NTSTATUS ldapsam_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
                                 char *name, BOOL with_priv)
 {
 static NTSTATUS ldapsam_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
                                 char *name, BOOL with_priv)
 {
@@ -2785,6 +3264,9 @@ static NTSTATUS ldapsam_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
        return ldapsam_getgroup(methods, filter, map);
 }
 
        return ldapsam_getgroup(methods, filter, map);
 }
 
+/**********************************************************************
+ *********************************************************************/
+
 static int ldapsam_search_one_group_by_gid(struct ldapsam_privates *ldap_state,
                                           gid_t gid,
                                           LDAPMessage **result)
 static int ldapsam_search_one_group_by_gid(struct ldapsam_privates *ldap_state,
                                           gid_t gid,
                                           LDAPMessage **result)
@@ -2797,6 +3279,9 @@ static int ldapsam_search_one_group_by_gid(struct ldapsam_privates *ldap_state,
        return ldapsam_search_one_group(ldap_state, filter, result);
 }
 
        return ldapsam_search_one_group(ldap_state, filter, result);
 }
 
+/**********************************************************************
+ *********************************************************************/
+
 static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods,
                                                GROUP_MAP *map)
 {
 static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods,
                                                GROUP_MAP *map)
 {
@@ -2871,6 +3356,9 @@ static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods,
        return NT_STATUS_OK;
 }
 
        return NT_STATUS_OK;
 }
 
+/**********************************************************************
+ *********************************************************************/
+
 static NTSTATUS ldapsam_update_group_mapping_entry(struct pdb_methods *methods,
                                                   GROUP_MAP *map)
 {
 static NTSTATUS ldapsam_update_group_mapping_entry(struct pdb_methods *methods,
                                                   GROUP_MAP *map)
 {
@@ -2928,22 +3416,23 @@ static NTSTATUS ldapsam_update_group_mapping_entry(struct pdb_methods *methods,
        return NT_STATUS_OK;
 }
 
        return NT_STATUS_OK;
 }
 
+/**********************************************************************
+ *********************************************************************/
+
 static NTSTATUS ldapsam_delete_group_mapping_entry(struct pdb_methods *methods,
                                                   DOM_SID sid)
 {
 static NTSTATUS ldapsam_delete_group_mapping_entry(struct pdb_methods *methods,
                                                   DOM_SID sid)
 {
-       struct ldapsam_privates *ldap_state =
-               (struct ldapsam_privates *)methods->private_data;
+       struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)methods->private_data;
        pstring sidstring, filter;
        LDAPMessage *result;
        int rc;
        NTSTATUS ret;
        pstring sidstring, filter;
        LDAPMessage *result;
        int rc;
        NTSTATUS ret;
+       char **attr_list;
 
 
-       const char *sam_group_attrs[] = { "ntSid", "ntGroupType",
-                                         "description", "displayName",
-                                         NULL };
        sid_to_string(sidstring, &sid);
        sid_to_string(sidstring, &sid);
-       snprintf(filter, sizeof(filter)-1,
-                "(&(objectClass=sambaGroupMapping)(ntSid=%s))", sidstring);
+       
+       snprintf(filter, sizeof(filter)-1, "(&(objectClass=%s)(%s=%s))", 
+               LDAP_OBJ_GROUPMAP, LDAP_ATTRIBUTE_SID, sidstring);
 
        rc = ldapsam_search_one_group(ldap_state, filter, &result);
 
 
        rc = ldapsam_search_one_group(ldap_state, filter, &result);
 
@@ -2951,23 +3440,31 @@ static NTSTATUS ldapsam_delete_group_mapping_entry(struct pdb_methods *methods,
                return NT_STATUS_NO_SUCH_GROUP;
        }
 
                return NT_STATUS_NO_SUCH_GROUP;
        }
 
-       ret = ldapsam_delete_entry(ldap_state, result, "sambaGroupMapping",
-                                  sam_group_attrs);
+       attr_list = get_attr_list( groupmap_attr_list );
+       ret = ldapsam_delete_entry(ldap_state, result, LDAP_OBJ_GROUPMAP, attr_list);
+       free_attr_list ( attr_list );
+
        ldap_msgfree(result);
        ldap_msgfree(result);
+
        return ret;
 }
 
        return ret;
 }
 
-static NTSTATUS ldapsam_setsamgrent(struct pdb_methods *my_methods,
-                                   BOOL update)
+/**********************************************************************
+ *********************************************************************/
+
+static NTSTATUS ldapsam_setsamgrent(struct pdb_methods *my_methods, BOOL update)
 {
 {
-       struct ldapsam_privates *ldap_state =
-               (struct ldapsam_privates *)my_methods->private_data;
-       const char *filter = "(objectClass=sambaGroupMapping)";
+       struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
+       fstring filter;
        int rc;
        int rc;
+       char **attr_list;
 
 
+       snprintf( filter, sizeof(filter)-1, "(%s=*)", LDAP_OBJ_GROUPMAP );
+       attr_list = get_attr_list( groupmap_attr_list );
        rc = ldapsam_search(ldap_state, lp_ldap_suffix(),
                            LDAP_SCOPE_SUBTREE, filter,
        rc = ldapsam_search(ldap_state, lp_ldap_suffix(),
                            LDAP_SCOPE_SUBTREE, filter,
-                           group_attr, 0, &ldap_state->result);
+                           attr_list, 0, &ldap_state->result);
+       free_attr_list( attr_list );
 
        if (rc != LDAP_SUCCESS) {
                DEBUG(0, ("LDAP search failed: %s\n", ldap_err2string(rc)));
 
        if (rc != LDAP_SUCCESS) {
                DEBUG(0, ("LDAP search failed: %s\n", ldap_err2string(rc)));
@@ -2981,18 +3478,23 @@ static NTSTATUS ldapsam_setsamgrent(struct pdb_methods *my_methods,
                  ldap_count_entries(ldap_state->ldap_struct,
                                     ldap_state->result)));
 
                  ldap_count_entries(ldap_state->ldap_struct,
                                     ldap_state->result)));
 
-       ldap_state->entry = ldap_first_entry(ldap_state->ldap_struct,
-                                ldap_state->result);
+       ldap_state->entry = ldap_first_entry(ldap_state->ldap_struct, ldap_state->result);
        ldap_state->index = 0;
 
        return NT_STATUS_OK;
 }
 
        ldap_state->index = 0;
 
        return NT_STATUS_OK;
 }
 
+/**********************************************************************
+ *********************************************************************/
+
 static void ldapsam_endsamgrent(struct pdb_methods *my_methods)
 {
        ldapsam_endsampwent(my_methods);
 }
 
 static void ldapsam_endsamgrent(struct pdb_methods *my_methods)
 {
        ldapsam_endsampwent(my_methods);
 }
 
+/**********************************************************************
+ *********************************************************************/
+
 static NTSTATUS ldapsam_getsamgrent(struct pdb_methods *my_methods,
                                    GROUP_MAP *map)
 {
 static NTSTATUS ldapsam_getsamgrent(struct pdb_methods *my_methods,
                                    GROUP_MAP *map)
 {
@@ -3018,6 +3520,9 @@ static NTSTATUS ldapsam_getsamgrent(struct pdb_methods *my_methods,
        return NT_STATUS_OK;
 }
 
        return NT_STATUS_OK;
 }
 
+/**********************************************************************
+ *********************************************************************/
+
 static NTSTATUS ldapsam_enum_group_mapping(struct pdb_methods *methods,
                                           enum SID_NAME_USE sid_name_use,
                                           GROUP_MAP **rmap, int *num_entries,
 static NTSTATUS ldapsam_enum_group_mapping(struct pdb_methods *methods,
                                           enum SID_NAME_USE sid_name_use,
                                           GROUP_MAP **rmap, int *num_entries,
@@ -3068,7 +3573,11 @@ static NTSTATUS ldapsam_enum_group_mapping(struct pdb_methods *methods,
        return NT_STATUS_OK;
 }
 
        return NT_STATUS_OK;
 }
 
-static NTSTATUS pdb_init_ldapsam_common(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
+/**********************************************************************
+ *********************************************************************/
+
+static NTSTATUS pdb_init_ldapsam_common(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, 
+                                       const char *location)
 {
        NTSTATUS nt_status;
        struct ldapsam_privates *ldap_state;
 {
        NTSTATUS nt_status;
        struct ldapsam_privates *ldap_state;
@@ -3118,8 +3627,6 @@ static NTSTATUS pdb_init_ldapsam_common(PDB_CONTEXT *pdb_context, PDB_METHODS **
 
        sid_copy(&ldap_state->domain_sid, get_global_sam_sid());
 
 
        sid_copy(&ldap_state->domain_sid, get_global_sam_sid());
 
-       ldap_state->use_ntsid = True;
-
        (*pdb_method)->private_data = ldap_state;
 
        (*pdb_method)->free_private_data = free_private_data;
        (*pdb_method)->private_data = ldap_state;
 
        (*pdb_method)->free_private_data = free_private_data;
@@ -3127,6 +3634,9 @@ static NTSTATUS pdb_init_ldapsam_common(PDB_CONTEXT *pdb_context, PDB_METHODS **
        return NT_STATUS_OK;
 }
 
        return NT_STATUS_OK;
 }
 
+/**********************************************************************
+ *********************************************************************/
+
 static NTSTATUS pdb_init_ldapsam_compat(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
 {
        NTSTATUS nt_status;
 static NTSTATUS pdb_init_ldapsam_compat(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
 {
        NTSTATUS nt_status;
@@ -3139,7 +3649,7 @@ static NTSTATUS pdb_init_ldapsam_compat(PDB_CONTEXT *pdb_context, PDB_METHODS **
        (*pdb_method)->name = "ldapsam_compat";
 
        ldap_state = (*pdb_method)->private_data;
        (*pdb_method)->name = "ldapsam_compat";
 
        ldap_state = (*pdb_method)->private_data;
-       ldap_state->use_ntsid = False;
+       ldap_state->schema_ver = SCHEMAVER_SAMBAACCOUNT;
 
        if (location) {
                ldap_state->uri = talloc_strdup(pdb_context->mem_ctx, location);
 
        if (location) {
                ldap_state->uri = talloc_strdup(pdb_context->mem_ctx, location);
@@ -3164,6 +3674,9 @@ static NTSTATUS pdb_init_ldapsam_compat(PDB_CONTEXT *pdb_context, PDB_METHODS **
        return NT_STATUS_OK;
 }
 
        return NT_STATUS_OK;
 }
 
+/**********************************************************************
+ *********************************************************************/
+
 static NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
 {
        NTSTATUS nt_status;
 static NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
 {
        NTSTATUS nt_status;
@@ -3178,28 +3691,23 @@ static NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_met
        (*pdb_method)->name = "ldapsam";
 
        ldap_state = (*pdb_method)->private_data;
        (*pdb_method)->name = "ldapsam";
 
        ldap_state = (*pdb_method)->private_data;
-       
-       ldap_state->permit_non_unix_accounts = True;
+       ldap_state->schema_ver = SCHEMAVER_SAMBASAMACCOUNT;     
+       ldap_state->permit_non_unix_accounts = False;
 
 
-       /* We know these uids can't turn up as algorithmic RIDs */
-       if (!lp_idmap_uid(&low_idmap_uid, &high_idmap_uid)) {
-               DEBUG(0, ("cannot use ldapsam_nua without 'idmap uid' range in smb.conf!\n"));
-               return NT_STATUS_UNSUCCESSFUL;
-       }
-
-       /* We know these gids can't turn up as algorithmic RIDs */
-       if (!lp_idmap_gid(&low_idmap_gid, &high_idmap_gid)) {
-               DEBUG(0, ("cannot use ldapsam_nua without 'wibnind gid' range in smb.conf!\n"));
-               return NT_STATUS_UNSUCCESSFUL;
-       }
-
-       ldap_state->low_allocated_user_rid=fallback_pdb_uid_to_user_rid(low_idmap_uid);
+       /* check for non-unix account ranges */
 
 
-       ldap_state->high_allocated_user_rid=fallback_pdb_uid_to_user_rid(high_idmap_uid);
+       if (lp_idmap_uid(&low_idmap_uid, &high_idmap_uid) 
+               &&  lp_idmap_gid(&low_idmap_gid, &high_idmap_gid)) 
+       {
+               DEBUG(2, ("Enabling non-unix account ranges\n"));
 
 
-       ldap_state->low_allocated_group_rid=pdb_gid_to_group_rid(low_idmap_gid);
+               ldap_state->permit_non_unix_accounts = True;
 
 
-       ldap_state->high_allocated_group_rid=pdb_gid_to_group_rid(high_idmap_gid);
+               ldap_state->low_allocated_user_rid   = fallback_pdb_uid_to_user_rid(low_idmap_uid);
+               ldap_state->high_allocated_user_rid  = fallback_pdb_uid_to_user_rid(high_idmap_uid);
+               ldap_state->low_allocated_group_rid  = pdb_gid_to_group_rid(low_idmap_gid);
+               ldap_state->high_allocated_group_rid = pdb_gid_to_group_rid(high_idmap_gid);
+       }
 
        return NT_STATUS_OK;
 }
 
        return NT_STATUS_OK;
 }
@@ -3215,3 +3723,5 @@ NTSTATUS pdb_ldap_init(void)
 
        return NT_STATUS_OK;
 }
 
        return NT_STATUS_OK;
 }
+
+
index ab86eaf4ebf76c6f06522b15dbc76f1c126eb231..31c12241bf741a9ef4bef2d15141945c9fc8b609 100644 (file)
@@ -316,8 +316,8 @@ static NTSTATUS db_idmap_init(void)
 
        /* Create high water marks for group and user id */
        if (!lp_idmap_uid(&idmap_state.uid_low, &idmap_state.uid_high)) {
 
        /* Create high water marks for group and user id */
        if (!lp_idmap_uid(&idmap_state.uid_low, &idmap_state.uid_high)) {
-               DEBUG(0, ("idmap uid range missing or invalid\n"));
-               DEBUGADD(0, ("idmap will be unable to map foreign SIDs\n"));
+               DEBUG(1, ("idmap uid range missing or invalid\n"));
+               DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n"));
        } else {
                if (tdb_fetch_int32(idmap_tdb, HWM_USER) == -1) {
                        if (tdb_store_int32(idmap_tdb, HWM_USER, idmap_state.uid_low) == -1) {
        } else {
                if (tdb_fetch_int32(idmap_tdb, HWM_USER) == -1) {
                        if (tdb_store_int32(idmap_tdb, HWM_USER, idmap_state.uid_low) == -1) {
@@ -328,8 +328,8 @@ static NTSTATUS db_idmap_init(void)
        }
 
        if (!lp_idmap_gid(&idmap_state.gid_low, &idmap_state.gid_high)) {
        }
 
        if (!lp_idmap_gid(&idmap_state.gid_low, &idmap_state.gid_high)) {
-               DEBUG(0, ("idmap gid range missing or invalid\n"));
-               DEBUGADD(0, ("idmap will be unable to map foreign SIDs\n"));
+               DEBUG(1, ("idmap gid range missing or invalid\n"));
+               DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n"));
        } else {
                if (tdb_fetch_int32(idmap_tdb, HWM_GROUP) == -1) {
                        if (tdb_store_int32(idmap_tdb, HWM_GROUP, idmap_state.gid_low) == -1) {
        } else {
                if (tdb_fetch_int32(idmap_tdb, HWM_GROUP) == -1) {
                        if (tdb_store_int32(idmap_tdb, HWM_GROUP, idmap_state.gid_low) == -1) {