Mark,
to answer your questions:
> I see this is refering to UNIX attributes within AD, but I'm curious about mapping to attributes in LDAP.
>
> => This gets mapped to 'idmap config ... : unix_primary_group' in the
> => internal config.
>
> Does that correspond to setting the smb.conf parameter
>
> unix_primary_group = yes
>
> => This gets mapped to 'idmap config ... : unix_primary_group' in the
> => internal config.
>
> Does that correspond to setting the smb.conf parameter
>
> unix_primary_group = yes
This corresponds to the smb.conf parameter 'idmap config DOMAIN :
unix_primary_group' = yes. This refers to the id mapping configuration
for the specified domain. See the idmap_ad man page for the Samba
documentation of this parameter.
unix_primary_group' = yes. This refers to the id mapping configuration
for the specified domain. See the idmap_ad man page for the Samba
documentation of this parameter.
> Specifically, under Spectrum Scale 5.0.2, if I run:
>
> mmuserauth service create --data-access-method file --ldapmap-domains "DOMAIN(type=stand-alone:ldap_srv=ldapserver:range=1001-65535:usr_dn=ou=People,dc=DC,dc=TLD:grp_dn=ou=Group,dc=DC,dc=TLD)" --type ad
>
> (some args removed in this example), will that map the user's primary group to
>
> the primaryGroupID supplied by AD
> or
> the primaryGroupID LDAP field
> or
> the gidNumber LDAP field
>
> mmuserauth service create --data-access-method file --ldapmap-domains "DOMAIN(type=stand-alone:ldap_srv=ldapserver:range=1001-65535:usr_dn=ou=People,dc=DC,dc=TLD:grp_dn=ou=Group,dc=DC,dc=TLD)" --type ad
>
> (some args removed in this example), will that map the user's primary group to
>
> the primaryGroupID supplied by AD
> or
> the primaryGroupID LDAP field
> or
> the gidNumber LDAP field
This primary group in this configuration is the primary group in
Active Directory. This is stored in Active Directory in the
primaryGroupID field that refers to the RID of the primary group (the
last part of the SID of the group). This id mapping method currently
does not read the gidNumber of the user. In theory it would be
possible to add this similar to the 'unix_primary_group' from above,
but that should be treated as a new feature and requsting that through
a RFE would be appropriate.
Active Directory. This is stored in Active Directory in the
primaryGroupID field that refers to the RID of the primary group (the
last part of the SID of the group). This id mapping method currently
does not read the gidNumber of the user. In theory it would be
possible to add this similar to the 'unix_primary_group' from above,
but that should be treated as a new feature and requsting that through
a RFE would be appropriate.
Regards,
Christof Schmitt || IBM || Spectrum Scale Development || Tucson, AZ
[email protected] || +1-520-799-2469 (T/L: 321-2469)
[email protected] || +1-520-799-2469 (T/L: 321-2469)
----- Original message -----
From: [email protected]
To: gpfsug main discussion list <[email protected]>
Cc: [email protected]
Subject: [EXTERNAL] Re: [gpfsug-discuss] Question concerning integration of CES with AD authentication system
Date: Thu, Jul 25, 2019 4:31 PM
In the message dated: Thu, 24 May 2018 17:07:02 -0000,
The pithy ruminations from Christof Schmitt on
[Re: [gpfsug-discuss] Question concerning integration of CES with AD authentication system] were:
=>
Following up on an old, old post...
=> > Basically Samba ignores the separate GID field in RFC2307bis, so one
=> > imagines the options for changing the LDAP attributes are none
=> > existent.
=>
=> mmuserauth now has an option to use either the gid from the actual primary
=> group or the gid defined for the user. See:
=>
=> https://www.ibm.com/support/knowledgecenter/en/STXKQY_5.0.0/
=> com.ibm.spectrum.scale.v5r00.doc/bl1adm_mmuserauth.htm
=>
=> --unixmap-domains unixDomainMap
=> [...]
=> win: Specifies the system to read the primary group set as Windows
=> primary group of a user on the Active Directory.
=> unix: Specifies the system to read the primary group as set in "UNIX
=> attributes" of a user on the Active Directory.
=> For example,
=> --unixmap-domains "MYDOMAIN1(20000-50000:unix);MYDOMAIN2
=> (100000-200000:win)"
I see this is refering to UNIX attributes within AD, but I'm curious about mapping to attributes in LDAP.
=> This gets mapped to 'idmap config ... : unix_primary_group' in the
=> internal config.
Does that correspond to setting the smb.conf parameter
unix_primary_group = yes
Specifically, under Spectrum Scale 5.0.2, if I run:
mmuserauth service create --data-access-method file --ldapmap-domains "DOMAIN(type=stand-alone:ldap_srv=ldapserver:range=1001-65535:usr_dn=ou=People,dc=DC,dc=TLD:grp_dn=ou=Group,dc=DC,dc=TLD)" --type ad
(some args removed in this example), will that map the user's primary group to
the primaryGroupID supplied by AD
or
the primaryGroupID LDAP field
or
the gidNumber LDAP field
or something else?
Thanks,
Mark
=>
=> Christof Schmitt || IBM || Spectrum Scale Development || Tucson, AZ
=> [email protected] || +1-520-799-2469 (T/L: 321-2469)
=>
_______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
