1. Oracle ZFS Storage Appliance Administration Guide, Release OS8.8.x
  2. Appliance Services
  3. Configuring Services
  4. Identity Mapping Configuration
  5. Creating a Mapping Rule (CLI)

Creating a Mapping Rule (CLI)

Use the following procedure to grant or deny credentials for specific users through the identity mapping service. An "allow" mapping rule grants Windows identity credentials from a UNIX identity or vice versa. A "deny" mapping rule blocks a Windows identity from receiving the credentials of a UNIX identity or vice versa.

Note:

If you create a mapping rule that blocks a particular user and the user's name then changes, the mapping no longer blocks that user.

Before You Begin

Configure rule-based mapping as described in Configuring Identity Mapping (CLI).

  1. Go to configuration services idmap.
  2. Enter create. 
    hostname:configuration services idmap> create
hostname:configuration services idmap (uncommitted)>
  3. Set the properties appropriately.

    You can use the list command to view the available properties. 

    hostname:configuration services idmap (uncommitted)> list
Properties:
                     windomain = (unset)
                       winname = (unset)
                     direction = (unset)
                      unixname = (unset)
                      unixtype = (unset)
    1. windomain - Active Directory domain of the Windows identity.
    2. winname - Set to one of the following options.
      • To create an "allow" mapping, set winname to the name of the Windows identity.

        Enter * to indicate all users within the specified domain.

      • To create a "deny" mapping that blocks a UNIX identity from receiving the credentials of a Windows identity, set to the name of the Windows identity.
      • To create a "deny" mapping that blocks a Windows identity from receiving the credentials of a UNIX identity, do not set winname.
    3. direction - Set to the direction of the mapping:

      • win2unix - Mapping from Windows to UNIX

      • unix2win - Mapping from UNIX to Windows

      • bi - Bidirectional mapping

    4. unixname - Set to one of the following options:
      • To create an "allow" mapping, set to the name of the UNIX identity, or enter * to indicate all users of the specified type.
      • To create a "deny" mapping that blocks a Windows identity from receiving the credentials of a UNIX identity, set to the name of the UNIX identity.
      • To create a "deny" mapping that blocks a UNIX identity from receiving the credentials of a Windows identity, do not set unixname.
    5. unixtype - Set to either user or group for the UNIX identity type. 
    hostname:configuration services idmap (uncommitted)> set windomain=demo.domain.com
hostname:configuration services idmap (uncommitted)> set winname=*
hostname:configuration services idmap (uncommitted)> set direction=win2unix
hostname:configuration services idmap (uncommitted)> set unixname=
hostname:configuration services idmap (uncommitted)> set unixtype=user
  4. Enter commit to commit the changes, and create the mapping rule. 
    hostname:configuration services idmap (uncommitted)> commit
hostname:configuration services idmap>

    You can use the list command to view the new rule in the Rules list. 

    hostname:configuration services idmap> list

MAPPING      WINDOWS ENTITY              DIRECTION        UNIX ENTITY
idmap-000    Alice@demo.domain.com       (U) ==           wdp (U)
idmap-001    *@demo.domain.com           (U) =>           ""  (U)

Example 3-1 Creating a Bi-Directional Mapping (CLI)

This example creates a bi-directional name-based mapping between a Windows user and UNIX user.

hostname:> configuration services idmap 
hostname:configuration services idmap> create
hostname:configuration services idmap (uncommitted)> set
   windomain=eng.example.com
hostname:configuration services idmap (uncommitted)> set winname=Bill
hostname:configuration services idmap (uncommitted)> set direction=bi 
hostname:configuration services idmap (uncommitted)> set unixname=wdp
hostname:configuration services idmap (uncommitted)> set unixtype=user 
hostname:configuration services idmap (uncommitted)> commit
hostname:configuration services idmap> list
MAPPING      WINDOWS ENTITY                    DIRECTION    UNIX ENTITY
idmap-000    Bill@eng.example.com              (U) ==       wdp  (U)

Example 3-2 Creating a Deny Mapping (CLI)

This example creates a deny mapping to prevent all Windows users in a domain from obtaining credentials.

hostname:configuration services idmap> create
hostname:configuration services idmap (uncommitted)> list
Properties:
                     windomain = (unset)
                       winname = (unset)
                     direction = (unset)
                      unixname = (unset)
                      unixtype = (unset)

hostname:configuration services idmap (uncommitted)> set
   windomain=guest.example.com
hostname:configuration services idmap (uncommitted)> set winname=*
hostname:configuration services idmap (uncommitted)> set direction=win2unix 
hostname:configuration services idmap (uncommitted)> set unixname=
hostname:configuration services idmap (uncommitted)> set unixtype=user 
hostname:configuration services idmap (uncommitted)> commit
hostname:configuration services idmap> list
MAPPING      WINDOWS ENTITY                    DIRECTION    UNIX ENTITY
idmap-000    Bill@eng.example.com              (U) ==       wdp  (U)
idmap-001    *@guest.example.com               (U) =>       ""   (U)