[OmniOS-discuss] LDAP and Active Directory via rfc2307
Michael Talbott
mtalbott at lji.org
Fri Apr 22 23:00:57 UTC 2016
I wonder how winbind accomplishes this, maybe it does the lookups and cross references you mentioned.. which is probably why it's so slow by comparison to ldap ;)
Thanks for all the help Paul. It's just too bad that Windows uses the full name to create the user dn by default which is really the cause of the problem.. Now I just need to find out who it was that wrote that chunk of code in AD ;)
> On Apr 22, 2016, at 3:34 PM, Paul B. Henson <henson at acm.org> wrote:
>
> On Fri, Apr 22, 2016 at 03:02:20PM -0700, Michael Talbott wrote:
>> I can. But the problem lies with how the unix group membership expects
>> usernames to be presented. It is grabbing the DN by for the username
>> and it appears it can not be set to any other attribute (or at least I
>> can't find a way to do so).
>
> As the guy who added rfc2307bis group support to the illumos ldap naming
> services integration code (previously it only supported rfc2307), I can
> say fairly authoritatively there's no way to do so :). Sorry.
>
> This is the same behavior as nss_ldap and sssd under linux, I'm not
> aware of any rfc2307bis implementation that allows you to specify an
> alternate attribute rather than using the RDN as the member name. I
> suppose it would be possible, but would certainly increase the
> complexity as for each member you'd need to look up their entry to find
> that alternate attribute to do the substitution. Hopefully you'll be
> able to restructure your AD to use usernames as RDN's...
More information about the OmniOS-discuss
mailing list