[OmniOS-discuss] LDAP and Active Directory via rfc2307
Michael Talbott
mtalbott at lji.org
Fri Apr 22 01:43:29 UTC 2016
Sorry for the duplicate thread. My email client died when I hit send and I thought it didn't go the first time, but I guess it did :(
> On Apr 21, 2016, at 6:39 PM, Michael Talbott <mtalbott at lji.org> wrote:
>
> I've been trying to figure out where I'm going wrong and just can't seem to pinpoint the problem. I'm trying to move a few servers away from winbind which was using rfc2307 mappings for uid/gid mapping and use LDAP instead. Using the below configuration username/userid groupname/groupid match the ids set in AD. However, for some reason, getent group shows all the groups with proper ids, but, none of the groups have any members in there :( getent passwd seems to work fine. So I'm thinking I'm missing some critical mapping to make this happen, but, just can't seem to figure out where I'm going wrong. Oh, and I'm running r151018.
>
> Any help is much appreciated.
>
> By the way, once this is resolved, maybe it should get posted under here: http://omnios.omniti.com/wiki.php/GeneralAdministration#ConfiguringLDAP
>
>
> Here's what I use to bind:
>
> # setup ldap like so
> ldapclient uninit
> ldapclient manual \
> -a credentialLevel=proxy \
> -a authenticationMethod=simple \
> -a "proxyDN=cn=xyz_ldap_service,cn=Users,dc=ad,dc=xyz,dc=com" \
> -a defaultSearchBase=dc=ad,dc=xyz,dc=com \
> -a domainName=ad.xyz.com \
> -a "defaultServerList=10.x.x.x" \
> -a attributeMap=passwd:gecos=cn \
> -a attributeMap=shadow:gecos=cn \
> -a attributeMap=group:gecos=cn \
> -a attributeMap=passwd:uid=sAMAccountName \
> -a attributeMap=shadow:uid=sAMAccountName \
> -a attributeMap=passwd:homedirectory=unixHomeDirectory \
> -a attributeMap=shadow:shadowLastChange=pwdLastSet \
> -a attributeMap=group:uniqueMember=member \
> -a objectClassMap=passwd:posixAccount=user \
> -a objectClassMap=shadow:shadowAccount=user \
> -a objectClassMap=group:posixGroup=group \
> -a "serviceSearchDescriptor=group:dc=ad,dc=xyz,dc=com?sub?(&(objectClass=group)(gidNumber=*))" \
> -a "serviceSearchDescriptor=passwd:cn=users,dc=ad,dc=xyz,dc=com?sub?(&(objectClass=user)(uidNumber=*))"
>
> #enter password when prompted
>
> # remove "ldap" from all entries in /etc/nsswitch.conf except for passwd and group
> cp /etc/nsswitch.dns /etc/nsswitch.conf
> sed -i 's at passwd: files at passwd: files ldap at g' /etc/nsswitch.conf
> sed -i 's at group: files at group: files ldap at g' /etc/nsswitch.conf
>
> # restart ldap client
> svcadm disable svc:/network/ldap/client:default
> sleep 2
> svcadm enable svc:/network/ldap/client:default
> sleep 1
> svcs svc:/network/ldap/client:default
> nscd -i passwd
>
> # sanity checks
> /usr/lib/ldap/ldap_cachemgr -g
> svcs \*ldap\*
> svcs -l network/ldap/client:default
> nscd -i passwd
> ldapclient list
> ldaplist passwd
> ldaplist group
> /usr/lib/ldap/ldap_cachemgr -g
>
> # profit
> getent passwd
> getent group
>
More information about the OmniOS-discuss
mailing list