Before you can enable directory-based mapping on your Solaris system, you must extend the AD schema, the native LDAP schema, or both, and populate the user and group objects with the associated Solaris names. See How to Extend the Active Directory Schema, and User and Group Entries and How to Extend the Native LDAP Schema, and User and Group Entries.
Enable directory-based mapping.
# svccfg -s svc:/system/idmap setprop config/ds_name_mapping_enabled=boolean: true |
Inform the idmap service about the new user and group attributes.
To fully enable directory-based mapping, you must specify values for the following properties depending on the directory service or services you plan to use:
config/ad_unixuser_attr
config/ad_unixgroup_attr
config/nldap_winname_attr
These properties do not have default values. If the properties are not set, directory-based mapping is effectively disabled for the corresponding naming service.
In an environment that stores user and group name information in both Active Directory and native LDAP, perform the steps for each naming service.
For Active Directory, inform the idmap service about the new Active Directory UNIX user and group attributes.
# svccfg -s svc:/system/idmap setprop \ config/ad_unixuser_attr=astring: attribute-name # svccfg -s svc:/system/idmap setprop \ config/ad_unixgroup_attr=astring: attribute-name |
attribute-name is the attribute name you choose for the UNIX user or group name to be stored in AD.
For example, the following specifies the unixGroupName and unixUserName attribute names for the UNIX group and user names, respectively:
# svccfg -s svc:/system/idmap setprop \ config/ad_unixgroup_attr=astring: unixGroupName # svccfg -s svc:/system/idmap setprop \ config/ad_unixuser_attr=astring: unixUserName |
For native LDAP, inform the idmap service about the new native LDAP Windows name attribute.
# svccfg -s svc:/system/idmap setprop \ config/nldap_winname_attr=astring: attribute-name |
attribute-name is the attribute name you choose for the Windows name to be stored in native LDAP.
For example, the following specifies the winAccountName attribute name for the Windows name:
# svccfg -s svc:/system/idmap setprop \ config/nldap_winname_attr=astring: winAccountName |