1. Managing SMB File Sharing and Windows Interoperability in Oracle Solaris 11.4
  2. Setting Up Identity Mapping Between Windows and Oracle Solaris Systems
  3. Managing Directory-Based Name Mapping for Users and Groups
  4. How to Extend the Native LDAP Schema, and User and Group Entries

How to Extend the Native LDAP Schema, and User and Group Entries

This procedure describes how to extend the native LDAP schema and populate the user and group objects with the associated Windows names.

Note:

Perform this task before enabling directory-based mapping on your Oracle Solaris system.
  1. (Optional) Extend the native LDAP schema to add the new Windows user and group attributes.

    Note:

    If you do not want to extend the native LDAP schema, you can use an existing native LDAP schema attribute to store Windows user and group name information. For instance, if you already have a schema like the one in Example 2-3, you can use your attributes instead of creating new ones.
    1. Create an LDAP Data Interchange Format (LDIF) file to describe the native LDAP schema changes.

      For sample LDIF file contents, see Example 2-3.

    2. Load the schema changes into native LDAP.
      $ ldapmodify -h LDAP-server-name -W -f schema-input.ldif
  2. Populate the native LDAP user and group objects with the new attributes and their values.

    You can use the idmap set-namemap command to populate user and group objects. See How to Add a Directory-Based Name Mapping to a User or Group Object.

    1. Create an LDIF file to record the updates to the native LDAP user and group objects.

      See the sample LDIF file in Example 2-4. For more information about the LDIF file format, see RFC 2849.

    2. Update the user objects on the native LDAP server.
      $ ldapmodify -h LDAP-server-name -W -f user-input.ldif

Example 2-3 Extending the Native LDAP Schema

This example shows a sample LDIF file, nldap_namemap_schema.ldif, that describes the native LDAP schema changes: 

dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( 1.3.6.1.4.1.42.2.27.5.1.62
   NAME 'winAccountName'
   DESC 'Windows user or group name corresponding to a Unix user or group'
   EQUALITY caseIgnoreMatch
   SUBSTRINGS caseIgnoreSubstringsMatch
   ORDERING caseIgnoreOrderingMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
add: objectClasses
objectClasses: ( 1.3.6.1.4.1.42.2.27.5.2.16
   NAME 'winAccount'
   DESC 'Auxiliary class to store Windows name mappings in Unix user/group objects'
   SUP top
   AUXILIARY
   MAY winAccountName )

Load the schema changes into native LDAP. In the following example, the -D option argument changes a value that is specified in the .ldif file. 

$ ldapmodify -h LDAP-server-name -D cn=admin -w - -f nldap_namemap_schema.ldif
Enter bind password:
modifying entry cn=schema

Example 2-4 Populating Native LDAP User and Group Objects

The following example has Oracle Solaris users uone, utwo, and uthree stored in native LDAP. These Oracle Solaris users are associated with the Windows users user1, user2, and user3, respectively, all in the domain example.com.

This example shows how to add the Windows user names to the appropriate user objects in native LDAP by using the ldapmodify command.

First, create an input file, updateUsers, that associates the Oracle Solaris names with the Windows names: 

$ cat updateUsers
dn: uid=uone,ou=passwd,dc=example,dc=com
changetype: modify
add: winAccountName
winAccountName: user1@example.com

dn: uid=utwo,ou=passwd,dc=example,dc=com
changetype: modify
add: winAccountName
winAccountName: user2@example.com

dn: uid=uthree,ou=passwd,dc=example,dc=com
changetype: modify
add: winAccountName
winAccountName: user3@example.com

Then, run the ldapmodify command to update the user objects on the native LDAP server, neptune: 

$ ldapmodify -h neptune -o mech=gssapi -o authzid='' -f updateUsers