Creating a Mapping Rule (CLI)

Use the following procedure to grant or deny credentials for specific users through the identity mapping service. An "allow" mapping rule grants Windows identity credentials from a UNIX identity or vice versa. A "deny" mapping rule blocks a Windows identity from receiving the credentials of a UNIX identity or vice versa.

Note:

If you create a mapping rule that blocks a particular user and the user's name then changes, the mapping no longer blocks that user.

Before You Begin

Configure rule-based mapping as described in Configuring Identity Mapping (CLI).

1. Go to configuration services idmap.
2. Enter create.

   hostname:configuration services idmap> 
                 create
               
   hostname:configuration services idmap (uncommitted)>

3. Set the properties appropriately.

   You can use the list command to view the available properties.

   hostname:configuration services idmap (uncommitted)> 
                 list
               
   Properties:
                        windomain = (unset)
                          winname = (unset)
                        direction = (unset)
                         unixname = (unset)
                         unixtype = (unset)

   1. windomain - Active Directory domain of the Windows identity.
   2. winname - Set to one of the following options.
      • To create an "allow" mapping, set winname to the name of the Windows identity.

        Enter * to indicate all users within the specified domain.

      • To create a "deny" mapping that blocks a UNIX identity from receiving the credentials of a Windows identity, set to the name of the Windows identity.
      • To create a "deny" mapping that blocks a Windows identity from receiving the credentials of a UNIX identity, do not set winname.
   3. direction - Set to the direction of the mapping:

      • win2unix - Mapping from Windows to UNIX

      • unix2win - Mapping from UNIX to Windows

      • bi - Bidirectional mapping

   4. unixname - Set to one of the following options:
      • To create an "allow" mapping, set to the name of the UNIX identity, or enter * to indicate all users of the specified type.
      • To create a "deny" mapping that blocks a Windows identity from receiving the credentials of a UNIX identity, set to the name of the UNIX identity.
      • To create a "deny" mapping that blocks a UNIX identity from receiving the credentials of a Windows identity, do not set unixname.
   5. unixtype - Set to either user or group for the UNIX identity type.

   hostname:configuration services idmap (uncommitted)> 
                 set windomain=demo.example.com
               
   hostname:configuration services idmap (uncommitted)> 
                 set winname=*
               
   hostname:configuration services idmap (uncommitted)> 
                 set direction=win2unix
               
   hostname:configuration services idmap (uncommitted)> 
                 set unixname=
               
   hostname:configuration services idmap (uncommitted)> 
                 set unixtype=user
               
             

4. Enter commit to commit the changes, and create the mapping rule.

   hostname:configuration services idmap (uncommitted)> 
                 commit
               
   hostname:configuration services idmap>

   You can use the list command to view the new rule in the Rules list.

   hostname:configuration services idmap> 
                 list
               
   
   MAPPING      WINDOWS ENTITY              DIRECTION        UNIX ENTITY
   idmap-000    Alice@demo.example.com       (U) ==           wdp (U)
   idmap-001    *@demo.example.com           (U) =>           ""  (U)

Example 3-1 Creating a Bi-Directional Mapping (CLI)

This example creates a bi-directional name-based mapping between a Windows user and UNIX user.

hostname:> 
          configuration services idmap
         
hostname:configuration services idmap> 
          create
        
hostname:configuration services idmap (uncommitted)> 
          set
   windomain=eng.example.com
        
hostname:configuration services idmap (uncommitted)> 
          set winname=Bill
        
hostname:configuration services idmap (uncommitted)> 
          set direction=bi
         
hostname:configuration services idmap (uncommitted)> 
          set unixname=wdp
        
hostname:configuration services idmap (uncommitted)> 
          set unixtype=user
         
hostname:configuration services idmap (uncommitted)> 
          commit
        
hostname:configuration services idmap> 
          list
        
MAPPING      WINDOWS ENTITY                    DIRECTION    UNIX ENTITY
idmap-000    Bill@eng.example.com              (U) ==       wdp  (U)

Example 3-2 Creating a Deny Mapping (CLI)

This example creates a deny mapping to prevent all Windows users in a domain from obtaining credentials.

hostname:configuration services idmap> 
          create
        
hostname:configuration services idmap (uncommitted)> 
          list
        
Properties:
                     windomain = (unset)
                       winname = (unset)
                     direction = (unset)
                      unixname = (unset)
                      unixtype = (unset)

hostname:configuration services idmap (uncommitted)> 
          set
        
   windomain=guest.example.com
hostname:configuration services idmap (uncommitted)> 
          set winname=*
        
hostname:configuration services idmap (uncommitted)> 
          set direction=win2unix
         
hostname:configuration services idmap (uncommitted)> 
          set unixname=
        
hostname:configuration services idmap (uncommitted)> 
          set unixtype=user
         
hostname:configuration services idmap (uncommitted)> 
          commit
        
hostname:configuration services idmap> 
          list
        
MAPPING      WINDOWS ENTITY                    DIRECTION    UNIX ENTITY
idmap-000    Bill@eng.example.com              (U) ==       wdp  (U)
idmap-001    *@guest.example.com               (U) =>       ""   (U)