The identity mapping service creates and maintains a database of mappings between SIDs, UIDs, and GIDs. Three different mapping approaches are available, if mappings are available for a given identity, the service creates an ephemeral mapping. The following mapping modes are available:
The Rule-based mapping approach involves creating various rules which map identities by name. These rules establish equivalences between Windows identities and Unix identities.
Directory-based mapping involves annotating an LDAP or Active Directory object with information about how the identity maps to an equivalent identity on the opposite platform. The following attributes must be assigned when using directory-based mapping:
AD Attribute - Unix User Name - The name in the AD database of the equivalent Unix user name
AD Attribute - Unix Group Name - The name in the AD database of the equivalent Unix group name
Native LDAP Attribute - Windows User Name - The name in the LDAP database of the equivalent Windows identity
The CLI property names are shorter versions of those listed above.
For information on augmenting the Active Directory or the LDAP schemas, see the Managing Directory-Based Identity Mapping for Users and Groups (Task Map) section in the Solaris CIFS Administration Guide.
Microsoft offers a feature called "Identity Management for Unix", or IDMU. This software is available for Windows Server 2003, and is bundled with Windows Server 2003 R2 and later. This feature is part of what was called "Services For Unix" in its unbundled form.
The primary use of IDMU is to support Windows as a NIS/NFS server. IDMU adds a "UNIX Attributes" panel to the Active Directory Users and Computers user interface that lets the administrator specify a number of UNIX-related parameters: UID, GID, login shell, home directory, and similar for groups. These parameters are made available through AD through a schema similar to (but not the same as) RFC2307, and through the NIS service.
When the IDMU mapping mode is selected, the identity mapping service consumes these Unix attributes to establish mappings between Windows and Unix identities. This approach is very similar to directory-based mapping, only the identity mapping service queries the property schema established by the IDMU software instead of allowing a custom schema. When this approach is used, no other directory-based mapping may take place.