Hi All, On our solaris AD integration, we're using idmap and ldapclient with win2k3 r2's SFU attributes to map permanent UID/GID's and other attributes to users. One problem that we're running into is that microsoft has two separate places in AD for group membership, one for normal AD groups and one for NIS/SFU groups.
Is it possible to tell the solaris ldap client to use the AD groups for group membership instead of the NIS/SFU posix groups? I've attached a copy of our current ldapclient join command, I hope it's as simple as modifying the ldap attribute that solaris uses to lookup group membership? /usr/sbin/ldapclient -v manual \ -a credentialLevel=proxy \ -a authenticationMethod=simple \ -a proxyDN=cn=user,dc=domain,dc=com \ -a proxyPassword=password \ -a defaultSearchBase=dc=domain,dc=com \ -a domainName=domain.com \ -a defaultServerList=dc1,dc2 \ -a attributeMap=group:userpassword=userPassword \ -a attributeMap=group:memberuid=memberUid \ -a attributeMap=group:gidnumber=gidNumber \ -a attributeMap=passwd:gecos=cn \ -a attributeMap=passwd:gidnumber=gidNumber \ -a attributeMap=passwd:uidnumber=uidNumber \ -a attributeMap=passwd:homedirectory=unixHomeDirectory \ -a attributeMap=passwd:loginshell=loginShell \ -a attributeMap=shadow:shadowflag=shadowFlag \ -a attributeMap=shadow:userpassword=userPassword \ -a objectClassMap=group:posixGroup=group \ -a objectClassMap=passwd:posixAccount=user \ -a objectClassMap=shadow:shadowAccount=user \ -a serviceSearchDescriptor=passwd:dc=domain,dc=com?sub \ -a serviceSearchDescriptor=group:dc=domain,dc=com?sub -- This message posted from opensolaris.org _______________________________________________ sysadmin-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/sysadmin-discuss
