Re: AD group membership second method
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: AD group membership second method
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: John Sopko <sopko [at] cs.unc.edu>, nss-pam-ldapd-users [at] lists.arthurdejong.org
- Cc: David A Cowhig <dcowhig [at] cs.unc.edu>
- Subject: Re: AD group membership second method
- Date: Mon, 30 Apr 2018 20:14:31 +0200
On Tue, 2018-04-24 at 14:03 -0400, John Sopko wrote:
> Can someone give me the magic group filters and mappings in
> nslcd.conf so we can use regular AD group members instead of having
> to populate AD groups with memberUid? That is we would like to use
> the second method as noted below from the README. I understand there
> may be a performance hit. Thanks.
The sample nslcd.conf has two options for using AD as an LDAP server:
https://arthurdejong.org/git/nss-pam-ldapd/tree/nslcd.conf#n106
The two examples differ in whether the uidNumber and gidNumber
attributes are present.
If you have groups I think AD uses the member attribute which is
supported by nss-pam-ldapd as default mapping. This attribute used to
be uniqueMember by default in very old releases of nss-pam-ldapd. For
some versions of AD you may need to include the sAMAccountName as uid
attribute mapping.
Hope this helps,
--
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/
