Re: [nssldap] some questions regarding Active Directory <--> NSS Ldap
[Date Prev][Date Next] [Thread Prev][Thread Next]Re: [nssldap] some questions regarding Active Directory <--> NSS Ldap
- From: Jeffrey Watts <jeffrey.w.watts [at] gmail.com>
- To: Илья Шипицин <chipitsine [at] gmail.com>
- Cc: nssldap [at] padl.com
- Reply-to: watts [at] jayhawks.net
- Subject: Re: [nssldap] some questions regarding Active Directory <--> NSS Ldap
- Date: Tue, 23 Feb 2010 10:02:54 -0600
There are five attributes that need adding (or otherwise dealt with) to a standard AD user to make them work with nss_ldap:
gecos
gidNumber
loginShell
uidNumber
unixHomeDirectory
Note that AD groups need the gidNumber set as well.
I map gecos to displayName, and the other four get set for our AD users that need access to Unix systems. Since we use the same shell and gidNumber for all AD users, technically only two attributes need set (I believe there is an option, nss_default_attribute_value, that will work to set defaults for attributes not set).
Here are my mappings:
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos displayName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowExpire accountExpires
nss_map_attribute shadowLastChange pwdLastSet
nss_map_attribute uid sAMAccountName
nss_map_attribute uniqueMember member
Don't forget to set the PAM attributes as well. I'm using a Windows2008R2 schema on Win2008R2 and Win2003 servers. Clients are RHEL3,4,5 and HP-UX 11.11,23,31. Make sure that your users and groups are in a container that falls within the nss_base_* variables.
Jeffrey.
On Tue, Feb 23, 2010 at 8:53 AM, Илья Шипицин <chipitsine [at] gmail.com> wrote:
Hello!first, I found that readme.sfu is outdated, how should I request it to be excluded ? via BugZilla ?secondly, I uncommented the following section in libnss_ldap.conf (on Debian)# RFC 2307 (AD) mappings
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember memberon the wire (by using wireshark) I see the following attributes being requested: sAMAccountname, userPassword, uidNumber,gidNumber, cn, unixHomeDirectory,loginShell,gecos,description,objectClass (10 attributes)however, AD only provides 4 attributes: sAMAccountname,cn,objectClass,descriptionthus, id command (id 'someuser') doesn't show anything. yes, query is made and 4 attributes are returned, but user is not found, probably because nss_ldap expects more than 4 attributes. where can I read about it ? what attributes are mandatory and what are optional ?is there good article on Active Directory <--> NSS (all the articles on the site are related to win2000 or just links are broken)< I mean some article on win2008Cheers,Ilya Shipitsin
--
"He that would make his own liberty secure must guard even his enemy from oppression; for if he violates this duty he establishes a precedent that will reach to himself." -- Thomas Paine
- [nssldap] some questions regarding Active Directory <--> NSS Ldap,
Илья Шипицин
- Re: [nssldap] some questions regarding Active Directory <--> NSS Ldap, Jeffrey Watts
- Prev by Date: [nssldap] template for some attributes
- Next by Date: Re: [nssldap] template for some attributes
- Previous by thread: [nssldap] some questions regarding Active Directory <--> NSS Ldap
- Next by thread: Re: [nssldap] some questions regarding Active Directory <--> NSS Ldap