I'm having some trouble getting a Solaris 10u6 system to act as an LDAP client against Windows 2003 Active Directory servers, so that Solaris can get user and group information using NSS. I have user lookups working fine, which I verified using "getent passwd". Group lookups are partially working, but I can't see any group members. Our Red Hat Enterprise clients all perform user and group lookups without any trouble. I did a packet capture on both Solaris and Red Hat while doing "getent group", and it appears that Red Hat's NSS library queries the member attribute (a list of LDAP DNs which correspond to group members a la RFC 2307bis) whereas Solaris queries the memberUid attribute (a comma-delimited string of the group member user names, compliant with the original RFC 2307). The trouble is that I can't figure out what attributes to map to get Solaris to deal with the member attribute; simply mapping memberUid to member causes the user list to be the list of user DNs rather than resolving the DNs to user names.
If it helps, here's the output of "ldapclient list": NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= 128.208.9.192, 128.208.10.192 NS_LDAP_SEARCH_BASEDN= ou=gsdir,dc=gs,dc=washington,dc=edu NS_LDAP_AUTH= none NS_LDAP_CACHETTL= 0 NS_LDAP_CREDENTIAL_LEVEL= anonymous NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=gsdir,dc=gs,dc=washington,dc=edu?sub NS_LDAP_SERVICE_SEARCH_DESC= group:ou=gsdir,dc=gs,dc=washington,dc=edu?sub NS_LDAP_ATTRIBUTEMAP= passwd:uid=sAMAccountName NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=unixHomeDirectory NS_LDAP_ATTRIBUTEMAP= passwd:gecos=displayName NS_LDAP_ATTRIBUTEMAP= group:memberuid=memberUid NS_LDAP_ATTRIBUTEMAP= group:userpassword=userPassword NS_LDAP_ATTRIBUTEMAP= group:gidnumber=gidNumber NS_LDAP_ATTRIBUTEMAP= group:uniqueMember=member NS_LDAP_ATTRIBUTEMAP= passwd:gidnumber=gidNumber NS_LDAP_ATTRIBUTEMAP= passwd:uidnumber=uidNumber NS_LDAP_ATTRIBUTEMAP= passwd:loginshell=loginShell NS_LDAP_ATTRIBUTEMAP= shadow:shadowflag=shadowFlag NS_LDAP_ATTRIBUTEMAP= shadow:userpassword=userPassword NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=user NS_LDAP_OBJECTCLASSMAP= shadow:shadowLastChange=pwdLastSet NS_LDAP_OBJECTCLASSMAP= group:posixGroup=group Can anyone give me a hand in figuring out the correct attribute mapping? Thanks, -- -- Skylar Thompson ([email protected]) -- http://www.cs.earlham.edu/~skylar/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
