[OmniOS-discuss] LDAP and Active Directory via rfc2307
Michael Talbott
mtalbott at lji.org
Fri Apr 22 01:39:08 UTC 2016
I've been trying to figure out where I'm going wrong and just can't seem to pinpoint the problem. I'm trying to move a few servers away from winbind which was using rfc2307 mappings for uid/gid mapping and use LDAP instead. Using the below configuration username/userid groupname/groupid match the ids set in AD. However, for some reason, getent group shows all the groups with proper ids, but, none of the groups have any members in there :( getent passwd seems to work fine. So I'm thinking I'm missing some critical mapping to make this happen, but, just can't seem to figure out where I'm going wrong. Oh, and I'm running r151018.
Any help is much appreciated.
By the way, once this is resolved, maybe it should get posted under here: http://omnios.omniti.com/wiki.php/GeneralAdministration#ConfiguringLDAP
Here's what I use to bind:
# setup ldap like so
ldapclient uninit
ldapclient manual \
-a credentialLevel=proxy \
-a authenticationMethod=simple \
-a "proxyDN=cn=xyz_ldap_service,cn=Users,dc=ad,dc=xyz,dc=com" \
-a defaultSearchBase=dc=ad,dc=xyz,dc=com \
-a domainName=ad.xyz.com \
-a "defaultServerList=10.x.x.x" \
-a attributeMap=passwd:gecos=cn \
-a attributeMap=shadow:gecos=cn \
-a attributeMap=group:gecos=cn \
-a attributeMap=passwd:uid=sAMAccountName \
-a attributeMap=shadow:uid=sAMAccountName \
-a attributeMap=passwd:homedirectory=unixHomeDirectory \
-a attributeMap=shadow:shadowLastChange=pwdLastSet \
-a attributeMap=group:uniqueMember=member \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a objectClassMap=group:posixGroup=group \
-a "serviceSearchDescriptor=group:dc=ad,dc=xyz,dc=com?sub?(&(objectClass=group)(gidNumber=*))" \
-a "serviceSearchDescriptor=passwd:cn=users,dc=ad,dc=xyz,dc=com?sub?(&(objectClass=user)(uidNumber=*))"
#enter password when prompted
# remove "ldap" from all entries in /etc/nsswitch.conf except for passwd and group
cp /etc/nsswitch.dns /etc/nsswitch.conf
sed -i 's at passwd: files at passwd: files ldap at g' /etc/nsswitch.conf
sed -i 's at group: files at group: files ldap at g' /etc/nsswitch.conf
# restart ldap client
svcadm disable svc:/network/ldap/client:default
sleep 2
svcadm enable svc:/network/ldap/client:default
sleep 1
svcs svc:/network/ldap/client:default
nscd -i passwd
# sanity checks
/usr/lib/ldap/ldap_cachemgr -g
svcs \*ldap\*
svcs -l network/ldap/client:default
nscd -i passwd
ldapclient list
ldaplist passwd
ldaplist group
/usr/lib/ldap/ldap_cachemgr -g
# profit
getent passwd
getent group
More information about the OmniOS-discuss
mailing list