Creating a Mapping Rule (CLI)
Use the following procedure to grant or deny credentials for specific users through the identity mapping service. An "allow" mapping rule grants Windows identity credentials from a UNIX identity or vice versa. A "deny" mapping rule blocks a Windows identity from receiving the credentials of a UNIX identity or vice versa.
Note:
If you create a mapping rule that blocks a particular user and the user's name then changes, the mapping no longer blocks that user.Before You Begin
Configure rule-based mapping as described in Configuring Identity Mapping (CLI).
Example 3-1 Creating a Bi-Directional Mapping (CLI)
This example creates a bi-directional name-based mapping between a Windows user and UNIX user.
hostname:> configuration services idmap hostname:configuration services idmap> create hostname:configuration services idmap (uncommitted)> set windomain=eng.example.com hostname:configuration services idmap (uncommitted)> set winname=Bill hostname:configuration services idmap (uncommitted)> set direction=bi hostname:configuration services idmap (uncommitted)> set unixname=wdp hostname:configuration services idmap (uncommitted)> set unixtype=user hostname:configuration services idmap (uncommitted)> commit hostname:configuration services idmap> list MAPPING WINDOWS ENTITY DIRECTION UNIX ENTITY idmap-000 Bill@eng.example.com (U) == wdp (U)
Example 3-2 Creating a Deny Mapping (CLI)
This example creates a deny mapping to prevent all Windows users in a domain from obtaining credentials.
hostname:configuration services idmap> create hostname:configuration services idmap (uncommitted)> list Properties: windomain = (unset) winname = (unset) direction = (unset) unixname = (unset) unixtype = (unset) hostname:configuration services idmap (uncommitted)> set windomain=guest.example.com hostname:configuration services idmap (uncommitted)> set winname=* hostname:configuration services idmap (uncommitted)> set direction=win2unix hostname:configuration services idmap (uncommitted)> set unixname= hostname:configuration services idmap (uncommitted)> set unixtype=user hostname:configuration services idmap (uncommitted)> commit hostname:configuration services idmap> list MAPPING WINDOWS ENTITY DIRECTION UNIX ENTITY idmap-000 Bill@eng.example.com (U) == wdp (U) idmap-001 *@guest.example.com (U) => "" (U)