Can you pull an complete user object via LDAP query? There might be secondary attributes that include a POSIX compliant short name.
Ian On Fri, Apr 22, 2016 at 2:37 PM, Michael Talbott <mtalb...@lji.org> wrote: > It does have the unix extensions on it which is how I was able to get this > far (set uids/gids/etc in AD). But I don't have the old windows NIS service > running though, so I don't use the SFU30 or whatever attributes since I > believe those are all obsoleted and will soon likely disappear. > > ________________________ > Michael Talbott > Systems Administrator > La Jolla Institute > > On Apr 22, 2016, at 1:18 PM, Ian Kaufman <ikauf...@eng.ucsd.edu> wrote: > > Does your AD have SFU (or whatever it is called these days) set up? > > Ian > > On Fri, Apr 22, 2016 at 12:58 PM, Michael Talbott <mtalb...@lji.org> > wrote: > >> You're exactly right. The DN in ad is the full name and if I create a >> user where the DN and shortname match, then everything works great. >> Unfortunately, I'm not sure if updating all the DNs to match the short name >> will break other dependancies of it deployed in existing software >> elsewhere. One day when I'm feeling brave and have a little downtime >> scheduled, I'll batch update all the entries and see if anything breaks. >> But, I suppose I'm stuck with winbind for the time being. But thank you for >> all the help. >> >> >> >> > On Apr 22, 2016, at 11:27 AM, Paul B. Henson <hen...@acm.org> wrote: >> > >> > On Thu, Apr 21, 2016 at 11:35:56PM -0700, Michael Talbott wrote: >> > >> >> all the group members are listed as "John Doe" rather than jdoe which >> >> means that when jdoe logs in, he can't access his groups due to the >> >> naming disconnect. Any ideas of how to fix that? Somehow map the group >> >> members to samAccountName rather than the DN? >> > >> > How is your AD structured? It sounds like it's using full names for DN's >> > rather than usernames? If so, that's not going to work. >> > >> > Our AD uses usernames for DN's; for example, I'm: >> > >> > dn: CN=henson,OU=user,DC=ad,DC=cpp,DC=edu >> > cn: henson >> > sn: Henson >> > givenName: Paul >> > initials: B. >> > distinguishedName: CN=henson,OU=user,DC=ad,DC=cpp,DC=edu >> > displayName: Paul B. Henson >> > sAMAccountName: henson >> > >> > and if you look at a group I'm in: >> > >> > dn: CN=netadmin,OU=group,DC=ad,DC=cpp,DC=edu >> > cn: netadmin >> > description: Network admins >> > member: CN=henson,OU=user,DC=ad,DC=cpp,DC=edu >> > distinguishedName: CN=netadmin,OU=group,DC=ad,DC=cpp,DC=edu >> > sAMAccountName: netadmin >> > >> > So the RDN for both users and groups is the short name that a unix box >> > expects to see, and the long name is in the displayName or description. >> > I'm guessing you're using the full name as the CN and your users look >> > like: >> > >> > dn: CN=Paul B. Henson,OU=user,DC=ad,DC=cpp,DC=edu >> > >> > so your group members look like: >> > >> > member: CN=Paul B. Henson,OU=user,DC=ad,DC=cpp,DC=edu >> > >> > If that's the case, I don't think there's any way you can get it to >> > work. The rfc2307bis group support expects the RDN to be the username, >> > there's no way to get it to look up some other attribute of the entry >> > and use it instead. >> >> _______________________________________________ >> OmniOS-discuss mailing list >> OmniOS-discuss@lists.omniti.com >> http://lists.omniti.com/mailman/listinfo/omnios-discuss >> > > > > -- > Ian Kaufman > Research Systems Administrator > UC San Diego, Jacobs School of Engineering ikaufman AT ucsd DOT edu > > > -- Ian Kaufman Research Systems Administrator UC San Diego, Jacobs School of Engineering ikaufman AT ucsd DOT edu
_______________________________________________ OmniOS-discuss mailing list OmniOS-discuss@lists.omniti.com http://lists.omniti.com/mailman/listinfo/omnios-discuss