[OmniOS-discuss] LDAP and Active Directory rfc2307

Michael Talbott mtalbott at lji.org
Fri Apr 22 01:27:54 UTC 2016 

I hope someone out there can help me solve the last piece of a puzzle I've been banging my head over getting OmniOS to cooperate with an Active Directory LDAP setup with uid/gid mapping set via AD Unix Attributes. I've been using winbind previously to do this mapping via rfc2307, but, I'd like to get rid of it and use LDAP instead. I seem to have all usernames/uids/gids mapping correctly thus far, but, the problem is none of the groups have any members shown via getent group. It'll list the groups and the proper group IDs as set in AD, but, no members :( I know there's gotta be some simple mapping I'm missing or set incorrectly, but I just can't seem to find it.

Any help is appreciated.

By the way, once the problem is fixed here, maybe it should be added to http://omnios.omniti.com/wiki.php/GeneralAdministration#ConfiguringLDAP <http://omnios.omniti.com/wiki.php/GeneralAdministration#ConfiguringLDAP> since it's still "TODO" ;)

Here's the binding method I'm using:

#####

ldapclient manual \
 -a credentialLevel=proxy \
 -a authenticationMethod=simple \
 -a "proxyDN=cn=ldap_service_user,cn=Users,dc=ad,dc=xyz,dc=com" \
 -a defaultSearchBase=dc=ad,dc=xyz,dc=com \
 -a domainName=ad.xyz.com \
 -a "defaultServerList=10.x.x.x" \
 -a attributeMap=passwd:gecos=cn \
 -a attributeMap=shadow:gecos=cn \
 -a attributeMap=group:gecos=cn \
 -a attributeMap=passwd:uid=sAMAccountName \
 -a attributeMap=shadow:uid=sAMAccountName \
 -a attributeMap=passwd:homedirectory=unixHomeDirectory \
 -a attributeMap=shadow:shadowLastChange=pwdLastSet \
 -a attributeMap=group:uniqueMember=member \
 -a objectClassMap=passwd:posixAccount=user \
 -a objectClassMap=shadow:shadowAccount=user \
 -a objectClassMap=group:posixGroup=group \
 -a "serviceSearchDescriptor=group:dc=ad,dc=xyz,dc=com?sub?(&(objectClass=group)(gidNumber=*))" \
 -a "serviceSearchDescriptor=passwd:cn=users,dc=ad,dc=xyz,dc=com?sub?(&(objectClass=user)(uidNumber=*))"

# I've also tried adding this to no avail:
# -a attributeMap=group:gid=sAMAccountName \

# fix nsswitch
cp /etc/nsswitch.dns /etc/nsswitch.conf
sed -i 's at passwd:     files at passwd:     files ldap at g' /etc/nsswitch.conf
sed -i 's at group:      files at group:      files ldap at g' /etc/nsswitch.conf

# reset the client and flush cache
svcadm disable svc:/network/ldap/client:default
sleep 2
svcadm enable svc:/network/ldap/client:default
sleep 1
svcs svc:/network/ldap/client:default
nscd -i passwd

# show connection sanity
/usr/lib/ldap/ldap_cachemgr -g

# profit
getent passwd
getent group

#####

I've also set this in /etc/system so it'll handle more than the 16 group limit (which previously solved issues I was having in winbind)

set ngroups_max = 1024 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omniosce.org/ml-archive/attachments/20160421/9f8b4e24/attachment-0003.html>

More information about the OmniOS-discuss mailing list