Sorry for the duplicate thread. My email client died when I hit send and I thought it didn't go the first time, but I guess it did :(
> On Apr 21, 2016, at 6:39 PM, Michael Talbott <mtalb...@lji.org> wrote: > > I've been trying to figure out where I'm going wrong and just can't seem to > pinpoint the problem. I'm trying to move a few servers away from winbind > which was using rfc2307 mappings for uid/gid mapping and use LDAP instead. > Using the below configuration username/userid groupname/groupid match the ids > set in AD. However, for some reason, getent group shows all the groups with > proper ids, but, none of the groups have any members in there :( getent > passwd seems to work fine. So I'm thinking I'm missing some critical mapping > to make this happen, but, just can't seem to figure out where I'm going > wrong. Oh, and I'm running r151018. > > Any help is much appreciated. > > By the way, once this is resolved, maybe it should get posted under here: > http://omnios.omniti.com/wiki.php/GeneralAdministration#ConfiguringLDAP > > > Here's what I use to bind: > > # setup ldap like so > ldapclient uninit > ldapclient manual \ > -a credentialLevel=proxy \ > -a authenticationMethod=simple \ > -a "proxyDN=cn=xyz_ldap_service,cn=Users,dc=ad,dc=xyz,dc=com" \ > -a defaultSearchBase=dc=ad,dc=xyz,dc=com \ > -a domainName=ad.xyz.com \ > -a "defaultServerList=10.x.x.x" \ > -a attributeMap=passwd:gecos=cn \ > -a attributeMap=shadow:gecos=cn \ > -a attributeMap=group:gecos=cn \ > -a attributeMap=passwd:uid=sAMAccountName \ > -a attributeMap=shadow:uid=sAMAccountName \ > -a attributeMap=passwd:homedirectory=unixHomeDirectory \ > -a attributeMap=shadow:shadowLastChange=pwdLastSet \ > -a attributeMap=group:uniqueMember=member \ > -a objectClassMap=passwd:posixAccount=user \ > -a objectClassMap=shadow:shadowAccount=user \ > -a objectClassMap=group:posixGroup=group \ > -a > "serviceSearchDescriptor=group:dc=ad,dc=xyz,dc=com?sub?(&(objectClass=group)(gidNumber=*))" > \ > -a > "serviceSearchDescriptor=passwd:cn=users,dc=ad,dc=xyz,dc=com?sub?(&(objectClass=user)(uidNumber=*))" > > #enter password when prompted > > # remove "ldap" from all entries in /etc/nsswitch.conf except for passwd and > group > cp /etc/nsswitch.dns /etc/nsswitch.conf > sed -i 's@passwd: files@passwd: files ldap@g' /etc/nsswitch.conf > sed -i 's@group: files@group: files ldap@g' /etc/nsswitch.conf > > # restart ldap client > svcadm disable svc:/network/ldap/client:default > sleep 2 > svcadm enable svc:/network/ldap/client:default > sleep 1 > svcs svc:/network/ldap/client:default > nscd -i passwd > > # sanity checks > /usr/lib/ldap/ldap_cachemgr -g > svcs \*ldap\* > svcs -l network/ldap/client:default > nscd -i passwd > ldapclient list > ldaplist passwd > ldaplist group > /usr/lib/ldap/ldap_cachemgr -g > > # profit > getent passwd > getent group > _______________________________________________ OmniOS-discuss mailing list OmniOS-discuss@lists.omniti.com http://lists.omniti.com/mailman/listinfo/omnios-discuss
