[OmniOS-discuss] LDAP and Active Directory via rfc2307
Paul B. Henson
henson at acm.org
Fri Apr 22 18:27:46 UTC 2016
On Thu, Apr 21, 2016 at 11:35:56PM -0700, Michael Talbott wrote:
> all the group members are listed as "John Doe" rather than jdoe which
> means that when jdoe logs in, he can't access his groups due to the
> naming disconnect. Any ideas of how to fix that? Somehow map the group
> members to samAccountName rather than the DN?
How is your AD structured? It sounds like it's using full names for DN's
rather than usernames? If so, that's not going to work.
Our AD uses usernames for DN's; for example, I'm:
dn: CN=henson,OU=user,DC=ad,DC=cpp,DC=edu
cn: henson
sn: Henson
givenName: Paul
initials: B.
distinguishedName: CN=henson,OU=user,DC=ad,DC=cpp,DC=edu
displayName: Paul B. Henson
sAMAccountName: henson
and if you look at a group I'm in:
dn: CN=netadmin,OU=group,DC=ad,DC=cpp,DC=edu
cn: netadmin
description: Network admins
member: CN=henson,OU=user,DC=ad,DC=cpp,DC=edu
distinguishedName: CN=netadmin,OU=group,DC=ad,DC=cpp,DC=edu
sAMAccountName: netadmin
So the RDN for both users and groups is the short name that a unix box
expects to see, and the long name is in the displayName or description.
I'm guessing you're using the full name as the CN and your users look
like:
dn: CN=Paul B. Henson,OU=user,DC=ad,DC=cpp,DC=edu
so your group members look like:
member: CN=Paul B. Henson,OU=user,DC=ad,DC=cpp,DC=edu
If that's the case, I don't think there's any way you can get it to
work. The rfc2307bis group support expects the RDN to be the username,
there's no way to get it to look up some other attribute of the entry
and use it instead.
More information about the OmniOS-discuss
mailing list