This procedure describes how to extend the AD schema and populate the user and group objects with the associated Oracle Solaris names.
For sample LDIF file contents, see Example 2, Extending the AD Schema. Also see "Extending Your Active Directory Schema in Windows Server 2003 R2" and "Step-by-Step Guide to Using Active Directory Schema and Display Specifiers" on the Microsoft TechNet web site.
C:\> ldifde -v -i -f input-file
You can also use the idmap set-namemap command to populate user and group objects. See How to Add a Directory-Based Name Mapping to a User or Group Object.
You can also use any of the Windows AD utilities to populate these objects.
See the sample LDIF file in Example 3, Populating AD User and Group Objects. For more information about the LDIF file format, see RFC 2849, The LDAP Data Interchange Format (LDIF).
The ldapmodify command uses this principal to update the AD objects described in the file you created.
For example:
$ kinit Administrator Password for Administrator@EXAMPLE.COM:
$ ldapmodify -h AD-server-name -o mech=gssapi -o authzid='' -f input-file
This example shows a sample LDIF file, ad_namemap_schema.ldif, that describes the AD schema changes.
dn: CN=unixUserName, CN=Schema, CN=Configuration, DC=example, DC=com changetype: add attributeID: 1.3.6.1.4.1.42.2.27.5.1.60 attributeSyntax: 2.5.5.3 isSingleValued: TRUE searchFlags: 1 lDAPDisplayName: unixUserName adminDescription: This attribute contains the object's UNIX username objectClass: attributeSchema oMSyntax: 27 dn: CN=unixGroupName, CN=Schema, CN=Configuration, DC=example, DC=com changetype: add attributeID: 1.3.6.1.4.1.42.2.27.5.1.61 attributeSyntax: 2.5.5.3 isSingleValued: TRUE searchFlags: 1 lDAPDisplayName: unixGroupName adminDescription: This attribute contains the object's UNIX groupname objectClass: attributeSchema oMSyntax: 27 dn: changetype: modify add: schemaUpdateNow schemaUpdateNow: 1 - dn: CN=unixNameInfo, CN=Schema, CN=Configuration, DC=example, DC=com changetype: add governsID: 1.3.6.1.4.1.42.2.27.5.2.15 lDAPDisplayName: unixNameInfo adminDescription: Auxiliary class to store UNIX name info in AD mayContain: unixUserName mayContain: unixGroupName objectClass: classSchema objectClassCategory: 3 subClassOf: top
Load the schema changes into AD from the Windows server:
C:\> ldifde -v -i -f ad_namemap_schema.ldifExample 3 Populating AD User and Group Objects
This example shows how to add Oracle Solaris user names to the appropriate user objects in AD by using the ldapmodify command. Windows users john, george, and mary are stored in Active Directory. These Windows users are associated with the Oracle Solaris users tmw, crj, and dab, respectively.
First, create an input file, updateUsers, that associates the Windows names with the Oracle Solaris names:
$ cat updateUsers dn: CN=John Smith,CN=Users,DC=example,DC=com changetype: modify add: unixUserName unixUserName: tmw dn: CN=George Abbot,CN=Users,DC=example,DC=com changetype: modify add: unixUserName unixUserName: crj dn: CN=Mary Jones,CN=Users,DC=example,DC=com changetype: modify add: unixUserName unixUserName: dab $
Next, use the kinit command to obtain a TGT for a privileged principal:
$ kinit Administrator Password for Administrator@EXAMPLE.COM:
Finally, run the ldapmodify command to update the user objects on the AD server, saturn:
$ ldapmodify -h saturn -o mech=gssapi -o authzid='' -f updateUsers