[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Ldap challenge
I think you are getting to the root of the problem.
So to give you some of the problems.
ismemberof does not exist we have to use memberof
nsUniqueId we have to use objectGUID
no uniqueMember again can only use memberof.
while there is a guarantee of person there is not the same for Posixaccount or shadowaccount.
While I have been able to get linux with SSSD to work, to some extent, with this its rather hit and miss and the Solaris systems just wont work at all. This is why I was hoping to be able to use the campus for the username and password, and then provide the rest from a local ldap server. It doesnt sound like this is really possible.
saslauthd did not work at all with the MS LDS.
What is a parallel or overlay directory service?
Daniel
________________________________________
From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Sent: Monday, April 27, 2015 12:07 PM
To: Ross, Daniel B.
Cc: openldap-technical@openldap.org
Subject: Re: Ldap challenge
On Wed, Apr 22, 2015 at 08:08:11PM +0000, Ross, Daniel B. wrote:
> What i need to do is continue to use the campus usernames and passwords but
> present the Data in a format that my linux/unix hosts can use. Is this
> possible?
Probably, but I don't think you have given us enough information so far.
> i.e. userid would still be samwise but instead of a bizzarre OU=
> monkeypeople,dc=example,dc=com I want it to present as people,dc=example,dc=
> com.
I assume the latter DN should be O=people,dc=example,dc=com
If this is your main problem then it may not need solving on the server side.
There is no fixed rule about the structure of a base DN used for Linux and Unix
LDAP authentication. You should be able to work with any DN structure, provided
that you know where to base your searches and provided you can do one-level or
subtree searches on the AD service to find what you need.
> I looked at referral and aliasing but it does not seem to be doing what I am
> trying to do. Passthrough authentication looks close but I cant find
> sufficient documentation to actually configure a system to use it.
Does the campus AD service contain everything that Linux/Unix would need?
e.g. does it have:
Username (almost certain - called samAccountName in AD)
Unix numeric UID
Unix numeric GID
Unix homedir
Unix shell
Something to use for GECOS (optional)
It does not matter what those attributes are called in AD as you can set the
clients to work with whatever you have, but they *do* have to be present.
It used to be necessary to load a Microsoft package called SFU (Services For Unix)
to support this, but I think more recent versions of AD already have schema for it
by default.
If you don't have at least that set of attributes with sensible values to work with
then you will have to maintain a parallel or overlay directory service. There are
several ways to do that, so let's start by establishing what you have!
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------