This procedure shows how to extend the AD schema and populate the user and group objects with the associated Solaris names.
Perform this task before enabling directory-based mapping on your Solaris system.
(Optional) Extend the AD schema to add the new UNIX user and group attributes.
If you do not want to extend the AD schema, you can use an existing AD schema attribute to store UNIX user and group name information. For instance, if you already have schema that is comparable to what is described in Example 2–1, you can use your attributes instead of creating new ones.
Create an LDAP Data Interchange Format (LDIF) file to describe the AD schema changes.
For sample LDIF file contents, see Example 2–1. Also see Extending Your Active Directory Schema in Windows Server 2003 R2 and Step-by-Step Guide to Using Active Directory Schema and Display Specifiers on the Microsoft technet web site.
Use the ldifde tool to load the schema changes into AD from the Windows server.
C:\> ldifde -v -i -f input-file |
Use the ldapmodify command to populate the AD user and group objects with the new attributes and their values.
You can use the idmap set-namemap command to populate user and group objects. See How to Add a Directory-Based Name Mapping to a User Object and How to Add a Directory-Based Name Mapping to a Group Object.
You can also use any of the Windows AD utilities to populate these objects.
Create an LDIF file to record the updates to the AD user and group objects.
See a sample LDIF file in Example 2–2. For more information about the LDIF file format, see RFC 2849.
Use the kinit command to obtain a Kerberos ticket-granting ticket (TGT) for a privileged AD principal.
This principal will be used by the ldapmodify command to update the AD objects described in the file you created in the previous substep.
For example:
$ kinit Administrator Password for Administrator@EXAMPLE.COM: |
Use the ldapmodify command to update the user objects on the AD server.
$ ldapmodify -h AD-server-name -o mech=gssapi -o authzid='' -f input-file |
The following LDIF example file, ad_namemap_schema.ldif, describes the AD schema changes:
dn: CN=unixUserName, CN=Schema, CN=Configuration, DC=example, DC=com changetype: add attributeID: 1.3.6.1.4.1.42.2.27.5.1.60 attributeSyntax: 2.5.5.3 isSingleValued: TRUE searchFlags: 1 lDAPDisplayName: unixUserName adminDescription: This attribute contains the object's UNIX username objectClass: attributeSchema oMSyntax: 27 dn: CN=unixGroupName, CN=Schema, CN=Configuration, DC=example, DC=com changetype: add attributeID: 1.3.6.1.4.1.42.2.27.5.1.61 attributeSyntax: 2.5.5.3 isSingleValued: TRUE searchFlags: 1 lDAPDisplayName: unixGroupName adminDescription: This attribute contains the object's UNIX groupname objectClass: attributeSchema oMSyntax: 27 dn: changetype: modify add: schemaUpdateNow schemaUpdateNow: 1 - dn: CN=unixNameInfo, CN=Schema, CN=Configuration, DC=example, DC=com changetype: add governsID: 1.3.6.1.4.1.42.2.27.5.2.15 lDAPDisplayName: unixNameInfo adminDescription: Auxiliary class to store UNIX name info in AD mayContain: unixUserName mayContain: unixGroupName objectClass: classSchema objectClassCategory: 3 subClassOf: top |
Use the ldifde tool to load the schema changes into AD from the Windows server:
C:\> ldifde -v -i -f ad_namemap_schema.ldif |
The following example has Windows users terry, cal, and dana stored in Active Directory. These Windows users are associated with the Solaris users tmw, crj, and dab, respectively.
This example shows how to add the Solaris user names to the appropriate user objects in AD by using the ldapmodify command.
First, create an input file, updateUsers, that associates the Windows names with the Solaris names:
$ cat updateUsers dn: CN=Terry Walters,CN=Users,DC=example,DC=com changetype: modify add: unixUserName unixUserName: tmw dn: CN=Cal Jamieson,CN=Users,DC=example,DC=com changetype: modify add: unixUserName unixUserName: crj dn: CN=Dana Bloom,CN=Users,DC=example,DC=com changetype: modify add: unixUserName unixUserName: dab $ |
Next, use the kinit command to obtain a TGT for a privileged principal:
$ kinit Administrator Password for Administrator@EXAMPLE.COM: |
Finally, run the ldapmodify command to update the user objects on the AD server, saturn:
$ ldapmodify -h saturn -o mech=gssapi -o authzid='' -f updateUsers |