[OmniOS-discuss] LDAP and Active Directory via rfc2307

Michael Talbott mtalbott at lji.org
Fri Apr 22 19:58:18 UTC 2016

You're exactly right. The DN in ad is the full name and if I create a user where the DN and shortname match, then everything works great. Unfortunately, I'm not sure if updating all the DNs to match the short name will break other dependancies of it deployed in existing software elsewhere. One day when I'm feeling brave and have a little downtime scheduled, I'll batch update all the entries and see if anything breaks. But, I suppose I'm stuck with winbind for the time being. But thank you for all the help.

> On Apr 22, 2016, at 11:27 AM, Paul B. Henson <henson at acm.org> wrote:
> On Thu, Apr 21, 2016 at 11:35:56PM -0700, Michael Talbott wrote:
>> all the group members are listed as "John Doe" rather than jdoe which
>> means that when jdoe logs in, he can't access his groups due to the
>> naming disconnect. Any ideas of how to fix that? Somehow map the group
>> members to samAccountName rather than the DN?
> How is your AD structured? It sounds like it's using full names for DN's
> rather than usernames? If so, that's not going to work.
> Our AD uses usernames for DN's; for example, I'm:
> dn: CN=henson,OU=user,DC=ad,DC=cpp,DC=edu
> cn: henson
> sn: Henson
> givenName: Paul
> initials: B.
> distinguishedName: CN=henson,OU=user,DC=ad,DC=cpp,DC=edu
> displayName: Paul B. Henson
> sAMAccountName: henson
> and if you look at a group I'm in:
> dn: CN=netadmin,OU=group,DC=ad,DC=cpp,DC=edu
> cn: netadmin
> description: Network admins
> member: CN=henson,OU=user,DC=ad,DC=cpp,DC=edu
> distinguishedName: CN=netadmin,OU=group,DC=ad,DC=cpp,DC=edu
> sAMAccountName: netadmin
> So the RDN for both users and groups is the short name that a unix box
> expects to see, and the long name is in the displayName or description.
> I'm guessing you're using the full name as the CN and your users look
> like:
> dn: CN=Paul B. Henson,OU=user,DC=ad,DC=cpp,DC=edu
> so your group members look like:
> member: CN=Paul B. Henson,OU=user,DC=ad,DC=cpp,DC=edu
> If that's the case, I don't think there's any way you can get it to
> work. The rfc2307bis group support expects the RDN to be the username,
> there's no way to get it to look up some other attribute of the entry
> and use it instead.

