lists.arthurdejong.org
RSS feed

Re: userPrincipalName

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: userPrincipalName



On Thu, 2011-01-06 at 14:59 +0000, stephen.rankin@stfc.ac.uk wrote:
> Setting: 
> 
> map passwd uid userPrincipalName 
> map shadow uid userPrincipalName 
> 
> in the nslcd config file does not work (cannot login), but is does for
> sAMAccountName.
> 
> userPrincipalName is set in Active Directory and includes the domain
> (@). 
> 
> Is there a way of using userPrincipalName as the login username?

nslcd should support login names with an @ in it but you have to log in
with the full name including @. Does nslcd give any errors in such a
configuration?

> Even better, it would be nice if I could use sAMAccountName and
> userPrincipalName at the same time, i.e. the user can login with
> either their sAMAccountName or their userPrincipalName – is this
> possible?

Currently, you can only map one attribute that is used for lookups to
one LDAP attribute. For attributes that are not used in searches (e.g.
homeDirectory) to several attributes in LDAP such as
  map passwd gecos "${gecos:-$cn}"

For attributes used in searches (uid, uidNumber) this is more difficult
because the attribute mappings are used to construct searches.

Also, you have to be careful to not generate users on your system with
duplicate symbolic or numeric user ids. This confuses some tools (it is
known to confuse nscd) and may cause problems.

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users