Currently the Solaris nss_ldap [hence also ldapclient] only supports the memberUid attribute format for specifying users in a group.
The support for the uniqueMember attribute which requires recursive queries for each of the supplied DN values is not supported at this time. So, I believe the answer to your question is no, in that we do not support processing of groups where the members are DNs to other groups and/or user entries at this time. We plan to add this at some point. We do not have a schedule at this time. Doug. Nicolas Williams wrote: > On Mon, Sep 29, 2008 at 12:48:35PM -0400, HUGE | Rob Terhaar wrote: >> Hi All, >> >> On our solaris CIFS install, we're using IDMAP and ldapclient with win2k3 >> r2's SFU attributes to map permanent UID/GID's and other attributes to >> users. One problem that we're running into is that microsoft has two >> separate places in AD for group membership, one for normal AD groups and one >> for NIS groups. >> >> Is it possible to tell the solaris ldap client to use the AD groups for >> group membership instead of the SFU posix groups? I've attached a copy of >> our current ldapclient join command, I hope it's as simple as modifying the >> ldap attribute that solaris uses to lookup group membership. > > Doug Leavitt (cc'ed) will probably know. > > Nico > > >> /usr/sbin/ldapclient -v manual \ >> -a credentialLevel=proxy \ >> -a authenticationMethod=simple \ >> -a proxyDN=cn=user,dc=domain,dc=com \ >> -a proxyPassword=password \ >> -a defaultSearchBase=dc=domain,dc=com \ >> -a domainName=domain.com \ >> -a defaultServerList=dc1,dc2 \ >> -a attributeMap=group:userpassword=userPassword \ >> -a attributeMap=group:memberuid=memberUid \ >> -a attributeMap=group:gidnumber=gidNumber \ >> -a attributeMap=passwd:gecos=cn \ >> -a attributeMap=passwd:gidnumber=gidNumber \ >> -a attributeMap=passwd:uidnumber=uidNumber \ >> -a attributeMap=passwd:homedirectory=unixHomeDirectory \ >> -a attributeMap=passwd:loginshell=loginShell \ >> -a attributeMap=shadow:shadowflag=shadowFlag \ >> -a attributeMap=shadow:userpassword=userPassword \ >> -a objectClassMap=group:posixGroup=group \ >> -a objectClassMap=passwd:posixAccount=user \ >> -a objectClassMap=shadow:shadowAccount=user \ >> -a serviceSearchDescriptor=passwd:dc=domain,dc=com?sub \ >> -a serviceSearchDescriptor=group:dc=domain,dc=com?sub >> >> >> >> _______________________________________________ >> cifs-discuss mailing list >> [email protected] >> http://mail.opensolaris.org/mailman/listinfo/cifs-discuss _______________________________________________ cifs-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
