Hello, I am new to the OpenSolaris community and would like to work on the following RFE filed by me:
RFE ID: 6834242 Synopsis: ldap/switch nss_ldap should support ActiveDirectory-style groups records Full name: Dr. Erwin Aitenbichler SCA: filed, but no number received yet I have already written a patch that fully implements the proposed solution. I think that AD integration is a functionality that would be interesting for many Solaris users. Now I would be interested in integrating my proposed solution into the OpenSolaris project. Could you please provide me information about the next steps to take, how to find the responsible maintainers and how to submit patches? Best regards, Erwin Aitenbichler --- Dr.-Ing. Erwin Aitenbichler Area Head Smart Environments Telecooperation Group Computer Science Dept., TU Darmstadt Hochschulstrasse 10 D-64289 Darmstadt, Germany phone +49 (6151) 16-2259 fax -3052 Anfang der weitergeleiteten E-Mail: > Von: bugmail-sender at sun.com > Datum: 26. April 2009 00:32:25 MESZ > An: undisclosed-recipients:; > Betreff: CR 6834242 Updated, P3 ldap/switch nss_ldap should support > ActiveDirectory-style groups records > > *Synopsis*: nss_ldap should support ActiveDirectory-style groups > records > > CR 6834242 changed on Apr 25 2009 by <User 1-5Q-1417> > > === Field ============ === New Value ============= === Old Value > ============= > > Category ldap opensolaris > SubCategory switch triage-queue > ====================== =========================== > =========================== > > > *Change Request ID*: 6834242 > > *Synopsis*: nss_ldap should support ActiveDirectory-style groups > records > > Product: solaris > Category: ldap > Subcategory: switch > Type: RFE > Subtype: > Status: 1-Dispatched > Substatus: > Priority: 3-Medium > Introduced In Release: > Introduced In Build: > Responsible Engineer: > Keywords: opensolaris > > === *Description* > ============================================================ > Category > solaris/network (Solaris Networking) > Sub-Category > nsswitch > Description > Background > Microsoft's Active Directory (AD) can be used as Solaris name > service > repository through nss_ldap by using a Windows 2003 R2 (or later) > server > and configuring a schema mapping on the Solaris clients. > Problem > The functions getbynam and getbygid in getgrent.c of nss_ldap do not > support AD-style group entries. The current implementation uses the > LDAP field memberUid containing a user's uid to construct a list of > all users in the group. In contrast, AD uses the field member > containing > the DN of the user. Because groups can be nested, such a DN may also > point to another group. > Example: > $ getent group LinuxAdmin > LinuxAdmin::1000000: > The list of users at the end is missing, because the functions > mentioned > above do not support AD-style LDAP records. > The function getbymember currently uses the field memberUid > containing > a user's uid to find all groups a user is member of. In contrast, AD > uses the field member containing the DN of the user or another > group. > Example: > $ groups erwin > tk > Only local groups appear in the group list, because getbymember() > does > not support AD-style LDAP records. > Using the alternative backend nss_ad is not an option, because it is > based on idmap. This configuration is not convenient or practical > in sites > that require the same UID or GID for the same user or group across > all servers. > Solution > getbynam/getbygid should iterate over all member fields of a group > record, > query all user records and extract the uids from the user records. > Because groups may be nested in AD, the functions have to > recursively > resolve all groups until the user records are reached. > getbymember must obtain the user's DN and then query all groups a > user > is member of using this DN. For all groups, the field memberof > must be > evaluated, because groups may be nested. > Frequency > Always > Regression > No > Steps to Reproduce > Configure the Solaris machine like described here: > http://blog.scottlowe.org/2006/10/16/refined-solaris-10-ad-integration-instructions/ > See the sections "actual result" and "expected result" below for > details on how the system currently behaves and how it should behave. > Expected Result > $ getent group LinuxAdmin > LinuxAdmin::1000000:schnitt,fm1007,jschroed,erwin > $ getent group MundoAdmin > MundoAdmin:: > 10000013:schnitt,fm1007,jschroed,erwin,borgert,d_w,fernando > $ getent group MundoUser > MundoUser:: > 10000012 > :beckerle > ,staender > ,marcos > ,schnitt > ,fm1007,jschroed,erwin,borgert,d_w,fernando,felix_h,ds1019,melanie > Comments: > - Group LinuxAdmin is member of group MundoAdmin > - Group MundoAdmin is member of group MundoUser > $ groups erwin > tk ASC Staff LinuxAdmin DedisAdmin DedisUser MundoAdmin MundoUser > LinuxClientAdmin TracAdmin DlhAdmin UbisenseAdmin UbisenseUser > DigilibAdmin FilerAdmin HimaliaAdmin HimaliaUser TestlinuxAdmin > TestlinuxUser NimbusAdmin NimbusUser HaloUser > Actual Result > $ getent group LinuxAdmin > LinuxAdmin::1000000: > $ getent group MundoAdmin > MundoAdmin::10000013: > $ getent group MundoUser > MundoUser::10000012: > $ groups erwin > tk > Error Message(s) > > Test Case > > Workaround > > Additional configuration information > > *** (#1 of 1): 2009-04-25 19:42:42 GMT+00:00 <User 1-F4SZV> > > > === *Public Comments* > ======================================================== > > === *Workaround* > ============================================================= > > === *Additional Details* > ===================================================== > Targeted Release: > Commit To Fix In Build: > Fixed In Build: > Integrated In Build: > Verified In Build: > See Also: 6722476 > Duplicate of: > Hooks: > Hook1: > Hook2: > Hook3: > Hook4: > Hook5: > Hook6: <email address omitted> > Program Management: > Root Cause: > Fix Affects Documentation: No > Fix Affects Localization: No > > === *History* > ================================================================ > Date Submitted: 2009-04-25 19:42:41 GMT+00:00 > Submitted By: <User 1-F4SZV> > > Status Changed Date Updated Updated By > > > === *Service Request* > ======================================================== > Impact: Significant > Functionality: Secondary > Severity: 3 > Product Name: solaris > Product Release: solaris_nevada > Product Build: snv_127 > Operating System: solaris_nevada > Hardware: generic > Submitted Date: 2009-04-25 19:42:42 GMT+00:00 > > > === *Multiple Release (MR) Cluster* - 0 > ====================================== > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/request-sponsor/attachments/20090428/5f20d45a/attachment.html>
