[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ldap challenge

To: "Ross, Daniel B." <daniel.ross@emory.edu>
Subject: Re: Ldap challenge
From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Date: Mon, 27 Apr 2015 17:07:37 +0100
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Content-disposition: inline
In-reply-to: <1429733256070.64524@emory.edu>
References: <1429733256070.64524@emory.edu>
User-agent: Mutt/1.5.21 (2010-09-15)

On Wed, Apr 22, 2015 at 08:08:11PM +0000, Ross, Daniel B. wrote:

> What i need to do is continue to use the campus usernames and passwords but
> present the Data in a format that my linux/unix hosts can use.  Is this
> possible?

Probably, but I don't think you have given us enough information so far.

> i.e.  userid would still be samwise but instead of a bizzarre OU=
> monkeypeople,dc=example,dc=com I want it to present as people,dc=example,dc=
> com.

I assume the latter DN should be O=people,dc=example,dc=com

If this is your main problem then it may not need solving on the server side.
There is no fixed rule about the structure of a base DN used for Linux and Unix
LDAP authentication. You should be able to work with any DN structure, provided
that you know where to base your searches and provided you can do one-level or
subtree searches on the AD service to find what you need.

> I looked at referral and aliasing but it does not seem to be doing what I am
> trying to do.  Passthrough authentication looks close but I cant find
> sufficient documentation to actually configure a system to use it.

Does the campus AD service contain everything that Linux/Unix would need?
e.g. does it have:

	Username (almost certain - called samAccountName in AD)
	Unix numeric UID
	Unix numeric GID
	Unix homedir
	Unix shell
	Something to use for GECOS (optional)

It does not matter what those attributes are called in AD as you can set the
clients to work with whatever you have, but they *do* have to be present.
It used to be necessary to load a Microsoft package called SFU (Services For Unix)
to support this, but I think more recent versions of AD already have schema for it
by default.

If you don't have at least that set of attributes with sensible values to work with
then you will have to maintain a parallel or overlay directory service. There are
several ways to do that, so let's start by establishing what you have!

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------

Follow-Ups:
- Re: Ldap challenge
  - From: "Ross, Daniel B." <daniel.ross@emory.edu>

References:
- Ldap challenge
  - From: "Ross, Daniel B." <daniel.ross@emory.edu>

Prev by Date: Re: separate loglevels for different databases?
Next by Date: Re: separate loglevels for different databases?
Index(es):
- Chronological
- Thread