[OmniOS-discuss] LDAP and Active Directory via rfc2307
Ian Kaufman
ikaufman at eng.ucsd.edu
Fri Apr 22 20:18:14 UTC 2016
Does your AD have SFU (or whatever it is called these days) set up?
Ian
On Fri, Apr 22, 2016 at 12:58 PM, Michael Talbott <mtalbott at lji.org> wrote:
> You're exactly right. The DN in ad is the full name and if I create a user
> where the DN and shortname match, then everything works great.
> Unfortunately, I'm not sure if updating all the DNs to match the short name
> will break other dependancies of it deployed in existing software
> elsewhere. One day when I'm feeling brave and have a little downtime
> scheduled, I'll batch update all the entries and see if anything breaks.
> But, I suppose I'm stuck with winbind for the time being. But thank you for
> all the help.
>
>
>
> > On Apr 22, 2016, at 11:27 AM, Paul B. Henson <henson at acm.org> wrote:
> >
> > On Thu, Apr 21, 2016 at 11:35:56PM -0700, Michael Talbott wrote:
> >
> >> all the group members are listed as "John Doe" rather than jdoe which
> >> means that when jdoe logs in, he can't access his groups due to the
> >> naming disconnect. Any ideas of how to fix that? Somehow map the group
> >> members to samAccountName rather than the DN?
> >
> > How is your AD structured? It sounds like it's using full names for DN's
> > rather than usernames? If so, that's not going to work.
> >
> > Our AD uses usernames for DN's; for example, I'm:
> >
> > dn: CN=henson,OU=user,DC=ad,DC=cpp,DC=edu
> > cn: henson
> > sn: Henson
> > givenName: Paul
> > initials: B.
> > distinguishedName: CN=henson,OU=user,DC=ad,DC=cpp,DC=edu
> > displayName: Paul B. Henson
> > sAMAccountName: henson
> >
> > and if you look at a group I'm in:
> >
> > dn: CN=netadmin,OU=group,DC=ad,DC=cpp,DC=edu
> > cn: netadmin
> > description: Network admins
> > member: CN=henson,OU=user,DC=ad,DC=cpp,DC=edu
> > distinguishedName: CN=netadmin,OU=group,DC=ad,DC=cpp,DC=edu
> > sAMAccountName: netadmin
> >
> > So the RDN for both users and groups is the short name that a unix box
> > expects to see, and the long name is in the displayName or description.
> > I'm guessing you're using the full name as the CN and your users look
> > like:
> >
> > dn: CN=Paul B. Henson,OU=user,DC=ad,DC=cpp,DC=edu
> >
> > so your group members look like:
> >
> > member: CN=Paul B. Henson,OU=user,DC=ad,DC=cpp,DC=edu
> >
> > If that's the case, I don't think there's any way you can get it to
> > work. The rfc2307bis group support expects the RDN to be the username,
> > there's no way to get it to look up some other attribute of the entry
> > and use it instead.
>
> _______________________________________________
> OmniOS-discuss mailing list
> OmniOS-discuss at lists.omniti.com
> http://lists.omniti.com/mailman/listinfo/omnios-discuss
>
--
Ian Kaufman
Research Systems Administrator
UC San Diego, Jacobs School of Engineering ikaufman AT ucsd DOT edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omniosce.org/ml-archive/attachments/20160422/a856deee/attachment.html>
More information about the OmniOS-discuss
mailing list