Managing SMB File Sharing and Windows Interoperability in Oracle Solaris 11.2

Exit Print View

 
Updated: July 2014
 
 

How to Extend the Native LDAP Schema, and User and Group Entries

This procedure describes how to extend the native LDAP schema and populate the user and group objects with the associated Windows names.

Note -  Perform this task before enabling directory-based mapping on your Oracle Solaris system.
  1. (Optional) Extend the native LDAP schema to add the new Windows user and group attributes.
    Note -  If you do not want to extend the native LDAP schema, you can use an existing native LDAP schema attribute to store Windows user and group name information. For instance, if you already have a schema like the one in Example 2–3, you can use your attributes instead of creating new ones.
    1. Create an LDAP Data Interchange Format (LDIF) file to describe the native LDAP schema changes.

      For sample LDIF file contents, see Example 2–3.

    2. Load the schema changes into native LDAP. 
      $ ldapmodify -D cn=admin -w p -f input-file
  2. Populate the native LDAP user and group objects with the new attributes and their values.

    You can use the idmap set-namemap command to populate user and group objects. See How to Add a Directory-Based Name Mapping to a User or Group Object.

    1. Create an LDIF file to record the updates to the native LDAP user and group objects.

      See the sample LDIF file in Example 2–4. For more information about the LDIF file format, see RFC 2849.

    2. Update the user objects on the native LDAP server. 
      $ ldapmodify -h LDAP-server-name -o mech=gssapi -o authzid='' -f input-file
Example 2-3  Extending the Native LDAP Schema

This example shows a sample LDIF file, nldap_namemap_schema.ldif, that describes the native LDAP schema changes:

dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( 1.3.6.1.4.1.42.2.27.5.1.62
   NAME 'winAccountName'
   DESC 'Windows user or group name corresponding to a Unix user or group'
   EQUALITY caseIgnoreMatch
   SUBSTRINGS caseIgnoreSubstringsMatch
   ORDERING caseIgnoreOrderingMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
add: objectClasses
objectClasses: ( 1.3.6.1.4.1.42.2.27.5.2.16
   NAME 'winAccount'
   DESC 'Auxiliary class to store Windows name mappings in Unix user/group objects'
   SUP top
   AUXILIARY
   MAY winAccountName )

Load the schema changes into native LDAP:

$ ldapmodify -D cn=admin -w - -f nldap_namemap_schema.ldif
Enter bind password:
modifying entry cn=schema
Example 2-4  Populating Native LDAP User and Group Objects

The following example has Oracle Solaris users tmw, crj, and dab stored in native LDAP. These Oracle Solaris users are associated with the Windows users john, george, and mary, respectively, all in the domain example.com.

This example shows how to add the Windows user names to the appropriate user objects in native LDAP by using the ldapmodify command.

First, create an input file, updateUsers, that associates the Oracle Solaris names with the Windows names:

$ cat updateUsers
dn: uid=tmw,ou=passwd,dc=example,dc=com
changetype: modify
add: winAccountName
winAccountName: [email protected]

dn: uid=crj,ou=passwd,dc=example,dc=com
changetype: modify
add: winAccountame
winAccountame: [email protected]

dn: uid=dab,ou=passwd,dc=example,dc=com
changetype: modify
add: winAccountame
winAccountame: [email protected]
$

Then, run the ldapmodify command to update the user objects on the native LDAP server, neptune:

$ ldapmodify -h neptune -o mech=gssapi -o authzid='' -f updateUsers
Copyright © 2007, 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous
Next