To look up users and groups in the LDAP directory, the appliance uses a search descriptor and must know which object classes correspond to users and groups and which attributes correspond to the properties needed. By default, the appliance uses object classes specified by RFC 2307 (posixAccount and posixGroup) and the default search descriptors shown in the following list, but this can be customized for different environments. The base search DN used in the examples below is dc=example,dc=com:
|
The search descriptor, object classes, and attributes used can be customized using the Schema definition property. To override the default search descriptor, enter the entire DN you wish to use. The appliance will use this value unmodified, and will ignore the values of the Base search DN and Search scope properties. To override user, group, and netgroup attributes and objects, choose the appropriate tab ("Users", "Groups", or "Netgroups") and specify mappings using the default = new syntax, where default is the default value and new is the value you want to use. For examples:
To use unixaccount instead of posixAccount as the user object class, enter posixAccount = unixaccount in Object class mappings on the Users tab.
To use employeenumber instead of uid as the attribute for user objects, enter uid = employeenumber in Attribute mappings on the Users tab.
To use unixgroup instead of posixGroup as the group object class, type posixGroup = unixgroup in Object class mappings on the Groups tab.
To use groupaccount instead of cn as the attribute for group objects, enter cn = groupaccount in Attribute mappings on the Groups tab.
The following is a list of object classes and attributes that you might want to map:
Classes
posixAccount
posixGroup
shadowAccount
Attributes - Users
uid
uidNumber
gidNumber
gecos
homeDirectory
loginShell
userPassword
Attributes - Groups
uid
memberUid
cn
userPassword
gidNumber
member
uniqueMember
memberOf
isMemberOf
Related Topics