How to Configure Directory-Based Mapping

Before You Begin

Before you can enable directory-based mapping on your Oracle Solaris system, you must extend the AD schema, the native LDAP schema, or both, and populate the user and group objects with the associated Oracle Solaris names. See How to Extend the Active Directory Schema, and User and Group Entries and How to Extend the Native LDAP Schema, and User and Group Entries.

1. Enable directory-based mapping.

   # svccfg -s svc:/system/idmap setprop config/directory_based_mapping=astring: name

   The directory_based_mapping property controls support for identity mapping that uses data stored in a directory service. The value of the directory_based_mapping property can be one of the following:

   • none – Disables directory-based mapping.

   • name – Enables name-based mapping by using the config/ad_unixuser_attr, config/ad_unixgroup_attr, and config/nldap_winname_attr properties. These properties are described on the idmap (1M) man page.

   • idmu – Enables mapping by using Identity Management for UNIX (IDMU).

2. Inform the idmap service about the new user and group attributes depending on the directory service or services you plan to use.

   ---

   Note -  Because these properties do not have default values, if they are not set, directory-based mapping is effectively disabled for the corresponding naming service.

   ---

   In an environment that stores user and group name information in both Active Directory and native LDAP, issue the commands for each naming service.

   • For Active Directory, inform the idmap service about the new Active Directory UNIX user and group attributes.

     # svccfg -s svc:/system/idmap setprop config/ad_unixuser_attr=astring: \
     attribute-name
     # svccfg -s svc:/system/idmap setprop config/ad_unixgroup_attr=astring: \
     attribute-name

     attribute-name is the attribute name for the UNIX user or group name to be stored in AD.

     The following example specifies the unixGroupName and unixUserName attribute names for the UNIX group and user names, respectively.

     # svccfg -s svc:/system/idmap setprop config/ad_unixgroup_attr=astring: \
     unixGroupName
     # svccfg -s svc:/system/idmap setprop config/ad_unixuser_attr=astring: \
     unixUserName

   • For native LDAP, inform the idmap service about the new native LDAP Windows name attribute.

     # svccfg -s svc:/system/idmap setprop \
     config/nldap_winname_attr=astring: attribute-name

     attribute-name is the attribute name for the Windows name to be stored in native LDAP.

     The following example specifies the winAccountName attribute name for the Windows name.

     # svccfg -s svc:/system/idmap setprop \
     config/nldap_winname_attr=astring: winAccountName

3. Refresh the identity mapping service.

   # svcadm refresh svc:/system/idmap