Re: Mapping question.

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Arthur de Jong <arthur [at] arthurdejong.org>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: Mapping question.
Date: Fri, 23 Oct 2015 10:04:16 +0200

Hi,

On Wed, 2015-10-21 at 17:06 -0400, eRIC wrote:
> dn: CN=sleduc,OU=Users,OU=ION,DC=ionharris,DC=com
> cn: sleduc
> displayName: sleduc
> memberOf: 
> CN=F11.TRACO.SupportTier3,OU=FacilitiesRoles,OU=ION,DC=ionharris,DC=com
> memberOf: 
> CN=F11.TRACO.SupportTier2,OU=FacilitiesRoles,OU=ION,DC=ionharris,DC=com
> memberOf: 
> CN=MCO.ATCT.SupportTier3,OU=FacilitiesRoles,OU=ION,DC=ionharris,DC=com
> memberOf: 
> CN=MCO.ATCT.SupportTier2,OU=FacilitiesRoles,OU=ION,DC=ionharris,DC=com
> memberOf: CN=Enterprise Admins,CN=Users,DC=ionharris,DC=com
> name: sleduc
> userAccountControl: 66048
> badPwdCount: 1
> badPasswordTime: 130778246043805114
> pwdLastSet: 130776407716618773
> primaryGroupID: 513
> adminCount: 1
> accountExpires: 9223372036854775807
> logonCount: 3
> sAMAccountName: sleduc
> sAMAccountType: 805306368
> userPrincipalName: sleduc@ionharris.com
> lockoutTime: 0
> lastLogonTimestamp: 130894836960699575
> uidNumber: 1000

Assuming the cn attribute contains the user's username and the name
attribute usually contains the full name (firstname, lastname) you
would probably want to use something like the following mapping:

  map passwd uid cn
  map passwd gidNumber primaryGroupID
  map passwd gecos name
  map passwd homeDirectory "/home/$cn"
  map passwd loginShell "/bin/bash"

If you want to expose the account expiration information from LDAP you
should also configure the shadow map in nsswitch.conf and map the
following shadow attributes but I'm not 100% sure the values are
compatible.

  map shadow uid cn
  map shadow shadowLastChange pwdLastSet
  map shadow shadowExpire accountExpires

You may also need to do some mapping for group entries. nss-pam-ldapd
currently does not use the (often synthetic) memberOf attribute but
expects group entries with attributes that point to users.

By the way, can you name the LDAP server implementation that you're
using? That may make it easier for other people with similar
configurations.

Thanks,

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

Mapping question., eRIC
- Re: Mapping question., Arthur de Jong
  - Re: Mapping question., eRIC
    - Re: Mapping question., Arthur de Jong

Prev by Date: Re: Mapping question.
Next by Date: Re: Mapping question.
Previous by thread: Re: Mapping question.
Next by thread: Re: Mapping question.