[OmniOS-discuss] LDAP and Active Directory via rfc2307

Michael Talbott mtalbott at lji.org
Fri Apr 22 22:02:20 UTC 2016 

I can. But the problem lies with how the unix group membership expects usernames to be presented. It is grabbing the DN by for the username and it appears it can not be set to any other attribute (or at least I can't find a way to do so).

________________________
Michael Talbott
Systems Administrator
La Jolla Institute

> On Apr 22, 2016, at 2:46 PM, Ian Kaufman <ikaufman at eng.ucsd.edu> wrote:
> 
> Can you pull an complete user object via LDAP query? There might be secondary attributes that include a POSIX compliant short name.
> 
> Ian
> 
> On Fri, Apr 22, 2016 at 2:37 PM, Michael Talbott <mtalbott at lji.org <mailto:mtalbott at lji.org>> wrote:
> It does have the unix extensions on it which is how I was able to get this far (set uids/gids/etc in AD). But I don't have the old windows NIS service running though, so I don't use the SFU30 or whatever attributes since I believe those are all obsoleted and will soon likely disappear.
> 
> ________________________
> Michael Talbott
> Systems Administrator
> La Jolla Institute
> 
>> On Apr 22, 2016, at 1:18 PM, Ian Kaufman <ikaufman at eng.ucsd.edu <mailto:ikaufman at eng.ucsd.edu>> wrote:
>> 
>> Does your AD have SFU (or whatever it is called these days) set up? 
>> 
>> Ian
>> 
>> On Fri, Apr 22, 2016 at 12:58 PM, Michael Talbott <mtalbott at lji.org <mailto:mtalbott at lji.org>> wrote:
>> You're exactly right. The DN in ad is the full name and if I create a user where the DN and shortname match, then everything works great. Unfortunately, I'm not sure if updating all the DNs to match the short name will break other dependancies of it deployed in existing software elsewhere. One day when I'm feeling brave and have a little downtime scheduled, I'll batch update all the entries and see if anything breaks. But, I suppose I'm stuck with winbind for the time being. But thank you for all the help.
>> 
>> 
>> 
>> > On Apr 22, 2016, at 11:27 AM, Paul B. Henson <henson at acm.org <mailto:henson at acm.org>> wrote:
>> >
>> > On Thu, Apr 21, 2016 at 11:35:56PM -0700, Michael Talbott wrote:
>> >
>> >> all the group members are listed as "John Doe" rather than jdoe which
>> >> means that when jdoe logs in, he can't access his groups due to the
>> >> naming disconnect. Any ideas of how to fix that? Somehow map the group
>> >> members to samAccountName rather than the DN?
>> >
>> > How is your AD structured? It sounds like it's using full names for DN's
>> > rather than usernames? If so, that's not going to work.
>> >
>> > Our AD uses usernames for DN's; for example, I'm:
>> >
>> > dn: CN=henson,OU=user,DC=ad,DC=cpp,DC=edu
>> > cn: henson
>> > sn: Henson
>> > givenName: Paul
>> > initials: B.
>> > distinguishedName: CN=henson,OU=user,DC=ad,DC=cpp,DC=edu
>> > displayName: Paul B. Henson
>> > sAMAccountName: henson
>> >
>> > and if you look at a group I'm in:
>> >
>> > dn: CN=netadmin,OU=group,DC=ad,DC=cpp,DC=edu
>> > cn: netadmin
>> > description: Network admins
>> > member: CN=henson,OU=user,DC=ad,DC=cpp,DC=edu
>> > distinguishedName: CN=netadmin,OU=group,DC=ad,DC=cpp,DC=edu
>> > sAMAccountName: netadmin
>> >
>> > So the RDN for both users and groups is the short name that a unix box
>> > expects to see, and the long name is in the displayName or description.
>> > I'm guessing you're using the full name as the CN and your users look
>> > like:
>> >
>> > dn: CN=Paul B. Henson,OU=user,DC=ad,DC=cpp,DC=edu
>> >
>> > so your group members look like:
>> >
>> > member: CN=Paul B. Henson,OU=user,DC=ad,DC=cpp,DC=edu
>> >
>> > If that's the case, I don't think there's any way you can get it to
>> > work. The rfc2307bis group support expects the RDN to be the username,
>> > there's no way to get it to look up some other attribute of the entry
>> > and use it instead.
>> 
>> _______________________________________________
>> OmniOS-discuss mailing list
>> OmniOS-discuss at lists.omniti.com <mailto:OmniOS-discuss at lists.omniti.com>
>> http://lists.omniti.com/mailman/listinfo/omnios-discuss <http://lists.omniti.com/mailman/listinfo/omnios-discuss>
>> 
>> 
>> 
>> -- 
>> Ian Kaufman
>> Research Systems Administrator
>> UC San Diego, Jacobs School of Engineering ikaufman AT ucsd DOT edu 
> 
> 
> 
> 
> -- 
> Ian Kaufman
> Research Systems Administrator
> UC San Diego, Jacobs School of Engineering ikaufman AT ucsd DOT edu 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omniosce.org/ml-archive/attachments/20160422/6e0a69bf/attachment-0001.html>

More information about the OmniOS-discuss mailing list