Use the following procedure to grant or deny credentials for specific users through the identity mapping service. An "allow" mapping rule grants Windows identity credentials from a UNIX identity or vice versa. A "deny" mapping rule blocks a Windows identity from receiving the credentials of a UNIX identity or vice versa.
Before You Begin
Configure rule-based mapping as described in Configuring Identity Mapping (CLI).
hostname:configuration services idmap> create hostname:configuration services idmap (uncommitted)>
You can use the list command to view the available properties.
hostname:configuration services idmap (uncommitted)> list Properties: windomain = (unset) winname = (unset) direction = (unset) unixname = (unset) unixtype = (unset)
Enter * to indicate all users within the specified domain.
win2unix - Mapping from Windows to UNIX
unix2win - Mapping from UNIX to Windows
bi - Bidirectional mapping
hostname:configuration services idmap (uncommitted)> set windomain=demo.domain.com hostname:configuration services idmap (uncommitted)> set winname=* hostname:configuration services idmap (uncommitted)> set direction=win2unix hostname:configuration services idmap (uncommitted)> set unixname= hostname:configuration services idmap (uncommitted)> set unixtype=user
hostname:configuration services idmap (uncommitted)> commit hostname:configuration services idmap>
You can use the list command to view the new rule in the Rules list.
hostname:configuration services idmap> list MAPPING WINDOWS ENTITY DIRECTION UNIX ENTITY idmap-000 Alice@demo.domain.com (U) == wdp (U) idmap-001 *@demo.domain.com (U) => "" (U)
This example creates a bi-directional name-based mapping between a Windows user and UNIX user.
hostname:> configuration services idmap hostname:configuration services idmap> create hostname:configuration services idmap (uncommitted)> set windomain=eng.fishworks.com hostname:configuration services idmap (uncommitted)> set winname=Bill hostname:configuration services idmap (uncommitted)> set direction=bi hostname:configuration services idmap (uncommitted)> set unixname=wdp hostname:configuration services idmap (uncommitted)> set unixtype=user hostname:configuration services idmap (uncommitted)> commit hostname:configuration services idmap> list MAPPING WINDOWS ENTITY DIRECTION UNIX ENTITY idmap-000 Bill@eng.fishworks.com (U) == wdp (U)Example 14 Creating a Deny Mapping (CLI)
This example creates a deny mapping to prevent all Windows users in a domain from obtaining credentials.
hostname:configuration services idmap> create hostname:configuration services idmap (uncommitted)> list Properties: windomain = (unset) winname = (unset) direction = (unset) unixname = (unset) unixtype = (unset) hostname:configuration services idmap (uncommitted)> set windomain=guest.fishworks.com hostname:configuration services idmap (uncommitted)> set winname=* hostname:configuration services idmap (uncommitted)> set direction=win2unix hostname:configuration services idmap (uncommitted)> set unixname= hostname:configuration services idmap (uncommitted)> set unixtype=user hostname:configuration services idmap (uncommitted)> commit hostname:configuration services idmap> list MAPPING WINDOWS ENTITY DIRECTION UNIX ENTITY idmap-000 Bill@eng.fishworks.com (U) == wdp (U) idmap-001 *@guest.fishworks.com (U) => "" (U)