How to Extend the Active Directory Schema, and User and Group Entries
This procedure describes how to extend the AD schema and populate the user and group objects with the associated Oracle Solaris names.
Note:
Perform this task before enabling directory-based mapping on your Oracle Solaris system.Example 2-1 Extending the AD Schema
This example shows a sample LDIF file, ad_namemap_schema.ldif
, that describes the AD schema changes.
dn: CN=unixUserName, CN=Schema, CN=Configuration, DC=example, DC=com changetype: add attributeID: 1.3.6.1.4.1.42.2.27.5.1.60 attributeSyntax: 2.5.5.3 isSingleValued: TRUE searchFlags: 1 lDAPDisplayName: unixUserName adminDescription: This attribute contains the object's UNIX username objectClass: attributeSchema oMSyntax: 27 dn: CN=unixGroupName, CN=Schema, CN=Configuration, DC=example, DC=com changetype: add attributeID: 1.3.6.1.4.1.42.2.27.5.1.61 attributeSyntax: 2.5.5.3 isSingleValued: TRUE searchFlags: 1 lDAPDisplayName: unixGroupName adminDescription: This attribute contains the object's UNIX groupname objectClass: attributeSchema oMSyntax: 27 dn: changetype: modify add: schemaUpdateNow schemaUpdateNow: 1 - dn: CN=unixNameInfo, CN=Schema, CN=Configuration, DC=example, DC=com changetype: add governsID: 1.3.6.1.4.1.42.2.27.5.2.15 lDAPDisplayName: unixNameInfo adminDescription: Auxiliary class to store UNIX name info in AD mayContain: unixUserName mayContain: unixGroupName objectClass: classSchema objectClassCategory: 3 subClassOf: top
Load the schema changes into AD from the Windows server:
C:\> ldifde -v -i -f ad_namemap_schema.ldif
Example 2-2 Populating AD User and Group Objects
This example shows how to add Oracle Solaris user names to the appropriate user objects in AD by using the ldapmodify
command. Windows users user1
, user2
, and user3
are stored in Active Directory. These Windows users are associated with the Oracle Solaris users uone
, utwo
, and uthree
, respectively.
First, create an input file, updateUsers
, that associates the Windows names with the Oracle Solaris names:
$ cat updateUsers
dn: CN=User One,CN=Users,DC=example,DC=com
changetype: modify
add: unixUserName
unixUserName: uone
dn: CN=User Two,CN=Users,DC=example,DC=com
changetype: modify
add: unixUserName
unixUserName: utwo
dn: CN=User Three,CN=Users,DC=example,DC=com
changetype: modify
add: unixUserName
unixUserName: uthree
Next, use the kinit
command to obtain a TGT for a privileged principal:
$ kinit Administrator
Password for Administrator@EXAMPLE.COM:
Finally, run the ldapmodify
command to update the user objects on the AD server, saturn
:
$ ldapmodify -h saturn -o mech=gssapi -o authzid='' -f updateUsers