> Date: Wed, 30 Sep 2009 15:52:59 +0200 > From: Florian Manschwetus<florianmanschwetus at gmx.de>
> Ok, basically we have currently on opensolaris two choices: > nss_ldap => alows the use of directory based mapping (unix nuid and ngid > and so are stored in directory (as in my case)) > nss_ad => allows easy and clean access but relies currently on generated > nuid and so > > Problems: > 1. General > - Normally solaris is limited to 16 group-memberships for a single user > > 2. nss_ldap > - can't search the complete directory for users/groups (no idea why) Probably because AD uses so many referrals to glue its tree together, you need to look into configuring referral chasing. > - need a modification to support DN as membership attribute and allow so > recursive group-memberships (otherwise it would need additional manual > membership handling) Should already be supported as part of RFC2307bis. Certainly the PADL-based nss-ldap does. Also nss-pam-ldapd and OpenLDAP nssov support that. > - incomplete group mapping leads to idmap problems with cifs-server > (maybe there is a workaround) > > 3. nss_ad > - seems to not support directory based id-mappings > - currently I was always unable to configure it correctly > - need a fine documentation (not found a really nice one) > > maybe some one could correct me if I made a mistake. > > The plan is to use the directory based nss and kerberos to authenticate > network fs (nfsv4 and cifs, maybe webdav) and system access (ssh, pfexec). > > Kerberos works fine so far, but the nss stuff isn't solved kindly > currently so, some hints or advices are welcome. > If someone could give me a good documentation how the things are > evolving, I'm willing to do my best to make the things go faster. Perhaps more low-level than you're asking for, but this is how things are evolving... http://tools.ietf.org/draft/draft-howard-rfc2307bis/ -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
