Before You Begin
Before you can enable directory-based mapping on your Oracle Solaris system, you must extend the AD schema, the native LDAP schema, or both, and populate the user and group objects with the associated Oracle Solaris names. See How to Extend the Active Directory Schema, and User and Group Entries and How to Extend the Native LDAP Schema, and User and Group Entries.
# svccfg -s svc:/system/idmap setprop config/directory_based_mapping=astring: name
The directory_based_mapping property controls support for identity mapping that uses data stored in a directory service. The value of the directory_based_mapping property can be one of the following:
none – Disables directory-based mapping.
name – Enables name-based mapping by using the config/ad_unixuser_attr, config/ad_unixgroup_attr, and config/nldap_winname_attr properties. These properties are described on the idmap(1M) man page.
idmu – Enables mapping by using Identity Management for UNIX (IDMU).
In an environment that stores user and group name information in both Active Directory and native LDAP, issue the commands for each naming service.
# svccfg -s svc:/system/idmap setprop config/ad_unixuser_attr=astring: \ attribute-name # svccfg -s svc:/system/idmap setprop config/ad_unixgroup_attr=astring: \ attribute-name
attribute-name is the attribute name for the UNIX user or group name to be stored in AD.
The following example specifies the unixGroupName and unixUserName attribute names for the UNIX group and user names, respectively.
# svccfg -s svc:/system/idmap setprop config/ad_unixgroup_attr=astring: \ unixGroupName # svccfg -s svc:/system/idmap setprop config/ad_unixuser_attr=astring: \ unixUserName
# svccfg -s svc:/system/idmap setprop \ config/nldap_winname_attr=astring: attribute-name
attribute-name is the attribute name for the Windows name to be stored in native LDAP.
The following example specifies the winAccountName attribute name for the Windows name.
# svccfg -s svc:/system/idmap setprop \ config/nldap_winname_attr=astring: winAccountName
# svcadm refresh svc:/system/idmap