Creating a Mapping Rule (CLI)

Language:

Use the following procedure to grant or deny credentials for specific users through the identity mapping service. An "allow" mapping rule grants Windows identity credentials from a UNIX identity or vice versa. A "deny" mapping rule blocks a Windows identity from receiving the credentials of a UNIX identity or vice versa.

Note - if you create a mapping rule that blocks a particular user and the user's name then changes, the mapping no longer blocks that user.

Before You Begin

Configure rule-based mapping as described in Configuring Identity Mapping (CLI).

Go to configuration services idmap.

Enter create.

hostname:configuration services idmap> create
hostname:configuration services idmap (uncommitted)>

Set the properties appropriately.
You can use the list command to view the available properties.
```
hostname:configuration services idmap (uncommitted)> list
Properties:
                     windomain = (unset)
                       winname = (unset)
                     direction = (unset)
                      unixname = (unset)
                      unixtype = (unset)
```
1. windomain - Active Directory domain of the Windows identity.
2. winname - Set to one of the following options.
  - To create an "allow" mapping, set winname to the name of the Windows identity.
    Enter * to indicate all users within the specified domain.
  - To create a "deny" mapping that blocks a UNIX identity from receiving the credentials of a Windows identity, set to the name of the Windows identity.
  - To create a "deny" mapping that blocks a Windows identity from receiving the credentials of a UNIX identity, do not set winname.
3. direction - Set to the direction of the mapping:
  - win2unix - Mapping from Windows to UNIX
  - unix2win - Mapping from UNIX to Windows
  - bi - Bidirectional mapping
4. unixname - Set to one of the following options:
  - To create an "allow" mapping, set to the name of the UNIX identity, or enter * to indicate all users of the specified type.
  - To create a "deny" mapping that blocks a Windows identity from receiving the credentials of a UNIX identity, set to the name of the UNIX identity.
  - To create a "deny" mapping that blocks a UNIX identity from receiving the credentials of a Windows identity, do not set unixname.
5. unixtype - Set to either user or group for the UNIX identity type.
```
hostname:configuration services idmap (uncommitted)> set windomain=demo.domain.com
hostname:configuration services idmap (uncommitted)> set winname=*
hostname:configuration services idmap (uncommitted)> set direction=win2unix
hostname:configuration services idmap (uncommitted)> set unixname=
hostname:configuration services idmap (uncommitted)> set unixtype=user
```

Enter commit to commit the changes and create the mapping rule.

hostname:configuration services idmap (uncommitted)> commit
hostname:configuration services idmap>

You can use the list command to view the new rule in the Rules list.

hostname:configuration services idmap> list

MAPPING      WINDOWS ENTITY              DIRECTION        UNIX ENTITY
idmap-000    Alice@demo.domain.com       (U) ==           wdp (U)
idmap-001    *@demo.domain.com           (U) =>    "" (U)

Example 13 Creating a Bi-Directional Mapping (CLI)

This example creates a bi-directional name-based mapping between a Windows user and UNIX user.

hostname:> configuration services idmap 
hostname:configuration services idmap> create
hostname:configuration services idmap (uncommitted)> set
   windomain=eng.fishworks.com
hostname:configuration services idmap (uncommitted)> set winname=Bill
hostname:configuration services idmap (uncommitted)> set direction=bi 
hostname:configuration services idmap (uncommitted)> set unixname=wdp
hostname:configuration services idmap (uncommitted)> set unixtype=user 
hostname:configuration services idmap (uncommitted)> commit
hostname:configuration services idmap> list
MAPPING      WINDOWS ENTITY                    DIRECTION    UNIX ENTITY
idmap-000    Bill@eng.fishworks.com        (U) ==           wdp (U)

Example 14 Creating a Deny Mapping (CLI)

This example creates a deny mapping to prevent all Windows users in a domain from obtaining credentials.

hostname:configuration services idmap> create
hostname:configuration services idmap (uncommitted)> list
Properties:
                     windomain = (unset)
                       winname = (unset)
                     direction = (unset)
                      unixname = (unset)
                      unixtype = (unset)

hostname:configuration services idmap (uncommitted)> set
   windomain=guest.fishworks.com
hostname:configuration services idmap (uncommitted)> set winname=*
hostname:configuration services idmap (uncommitted)> set direction=win2unix 
hostname:configuration services idmap (uncommitted)> set unixname=
hostname:configuration services idmap (uncommitted)> set unixtype=user 
hostname:configuration services idmap (uncommitted)> commit
hostname:configuration services idmap> list
MAPPING      WINDOWS ENTITY                    DIRECTION    UNIX ENTITY
idmap-000    Bill@eng.fishworks.com        (U) ==           wdp (U)
idmap-001    *@guest.fishworks.com         (U) =>           "" (U)