[OmniOS-discuss] LDAP and Active Directory via rfc2307

Ian Kaufman ikaufman at eng.ucsd.edu
Fri Apr 22 21:46:32 UTC 2016


Can you pull an complete user object via LDAP query? There might be
secondary attributes that include a POSIX compliant short name.

Ian

On Fri, Apr 22, 2016 at 2:37 PM, Michael Talbott <mtalbott at lji.org> wrote:

> It does have the unix extensions on it which is how I was able to get this
> far (set uids/gids/etc in AD). But I don't have the old windows NIS service
> running though, so I don't use the SFU30 or whatever attributes since I
> believe those are all obsoleted and will soon likely disappear.
>
> ________________________
> Michael Talbott
> Systems Administrator
> La Jolla Institute
>
> On Apr 22, 2016, at 1:18 PM, Ian Kaufman <ikaufman at eng.ucsd.edu> wrote:
>
> Does your AD have SFU (or whatever it is called these days) set up?
>
> Ian
>
> On Fri, Apr 22, 2016 at 12:58 PM, Michael Talbott <mtalbott at lji.org>
> wrote:
>
>> You're exactly right. The DN in ad is the full name and if I create a
>> user where the DN and shortname match, then everything works great.
>> Unfortunately, I'm not sure if updating all the DNs to match the short name
>> will break other dependancies of it deployed in existing software
>> elsewhere. One day when I'm feeling brave and have a little downtime
>> scheduled, I'll batch update all the entries and see if anything breaks.
>> But, I suppose I'm stuck with winbind for the time being. But thank you for
>> all the help.
>>
>>
>>
>> > On Apr 22, 2016, at 11:27 AM, Paul B. Henson <henson at acm.org> wrote:
>> >
>> > On Thu, Apr 21, 2016 at 11:35:56PM -0700, Michael Talbott wrote:
>> >
>> >> all the group members are listed as "John Doe" rather than jdoe which
>> >> means that when jdoe logs in, he can't access his groups due to the
>> >> naming disconnect. Any ideas of how to fix that? Somehow map the group
>> >> members to samAccountName rather than the DN?
>> >
>> > How is your AD structured? It sounds like it's using full names for DN's
>> > rather than usernames? If so, that's not going to work.
>> >
>> > Our AD uses usernames for DN's; for example, I'm:
>> >
>> > dn: CN=henson,OU=user,DC=ad,DC=cpp,DC=edu
>> > cn: henson
>> > sn: Henson
>> > givenName: Paul
>> > initials: B.
>> > distinguishedName: CN=henson,OU=user,DC=ad,DC=cpp,DC=edu
>> > displayName: Paul B. Henson
>> > sAMAccountName: henson
>> >
>> > and if you look at a group I'm in:
>> >
>> > dn: CN=netadmin,OU=group,DC=ad,DC=cpp,DC=edu
>> > cn: netadmin
>> > description: Network admins
>> > member: CN=henson,OU=user,DC=ad,DC=cpp,DC=edu
>> > distinguishedName: CN=netadmin,OU=group,DC=ad,DC=cpp,DC=edu
>> > sAMAccountName: netadmin
>> >
>> > So the RDN for both users and groups is the short name that a unix box
>> > expects to see, and the long name is in the displayName or description.
>> > I'm guessing you're using the full name as the CN and your users look
>> > like:
>> >
>> > dn: CN=Paul B. Henson,OU=user,DC=ad,DC=cpp,DC=edu
>> >
>> > so your group members look like:
>> >
>> > member: CN=Paul B. Henson,OU=user,DC=ad,DC=cpp,DC=edu
>> >
>> > If that's the case, I don't think there's any way you can get it to
>> > work. The rfc2307bis group support expects the RDN to be the username,
>> > there's no way to get it to look up some other attribute of the entry
>> > and use it instead.
>>
>> _______________________________________________
>> OmniOS-discuss mailing list
>> OmniOS-discuss at lists.omniti.com
>> http://lists.omniti.com/mailman/listinfo/omnios-discuss
>>
>
>
>
> --
> Ian Kaufman
> Research Systems Administrator
> UC San Diego, Jacobs School of Engineering ikaufman AT ucsd DOT edu
>
>
>


-- 
Ian Kaufman
Research Systems Administrator
UC San Diego, Jacobs School of Engineering ikaufman AT ucsd DOT edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.omniti.com/pipermail/omnios-discuss/attachments/20160422/63ca9193/attachment.html>


More information about the OmniOS-discuss mailing list