I think you are getting to the root of the problem. So to give you some of the problems. ismemberof does not exist we have to use memberof
nsUniqueId we have to use objectGUID
no uniqueMember again can only use memberof.
while there is a guarantee of person there is not the same for Posixaccount or shadowaccount.
While I have been able to get linux with SSSD to work, to some extent, with this its rather hit and miss and the Solaris systems just wont work at all. This is why I was hoping to be able to use the campus for the username and password, and then provide the rest from a local ldap server. It doesnt sound like this is really possible.
saslauthd did not work at all with the MS LDS. What is a parallel or overlay directory service?
Daniel
________________________________________ From: Andrew Findlay andrew.findlay@skills-1st.co.uk Sent: Monday, April 27, 2015 12:07 PM To: Ross, Daniel B. Cc: openldap-technical@openldap.org Subject: Re: Ldap challenge
On Wed, Apr 22, 2015 at 08:08:11PM +0000, Ross, Daniel B. wrote:
What i need to do is continue to use the campus usernames and passwords but present the Data in a format that my linux/unix hosts can use. Is this possible?
Probably, but I don't think you have given us enough information so far.
i.e. userid would still be samwise but instead of a bizzarre OU= monkeypeople,dc=example,dc=com I want it to present as people,dc=example,dc= com.
I assume the latter DN should be O=people,dc=example,dc=com
If this is your main problem then it may not need solving on the server side. There is no fixed rule about the structure of a base DN used for Linux and Unix LDAP authentication. You should be able to work with any DN structure, provided that you know where to base your searches and provided you can do one-level or subtree searches on the AD service to find what you need.
I looked at referral and aliasing but it does not seem to be doing what I am trying to do. Passthrough authentication looks close but I cant find sufficient documentation to actually configure a system to use it.
Does the campus AD service contain everything that Linux/Unix would need? e.g. does it have:
Username (almost certain - called samAccountName in AD) Unix numeric UID Unix numeric GID Unix homedir Unix shell Something to use for GECOS (optional)
It does not matter what those attributes are called in AD as you can set the clients to work with whatever you have, but they *do* have to be present. It used to be necessary to load a Microsoft package called SFU (Services For Unix) to support this, but I think more recent versions of AD already have schema for it by default.
If you don't have at least that set of attributes with sensible values to work with then you will have to maintain a parallel or overlay directory service. There are several ways to do that, so let's start by establishing what you have!
Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------