I want to, amongst other things, qury our Active Directory server for passwords. So use 389 as a directory server (using NIS scheme and netgroups) with AD passwords.
Problem is... our AD uses usernames of First Last and a kerberos principle of first.last. Where as the unix (linux, AIX, HPUX, Solaris) boxes use 8char usernames.
The password sync stuff I've seen isn't very clear. Does the AD samAccountName have to be the same as the unix username? Or is there somewhere on 389 or on AD where I can do a lookup?
This http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administ... seems to say there's a field ntUserDomainId that would do that job, is that used in the sync?
Is there any documentation on setting this up?
Zebee
Yes, directory servers winsync maps AD's samAccountName to uid on LDAP-DS, and Unix use the uid attribute for login name. It is not necessary to use kerberos authentication of AD, if you sync passwords between AD and DS with winsync.
Carsten ----- Ursprüngliche Nachricht ----- Von: Zebee Johnstone Zebee.Johnstone@optus.com.au Datum: Freitag, 21. Januar 2011, 2:43 Betreff: [389-users] Mapping AD names to unix names An: "'389-users@lists.fedoraproject.org'" 389-users@lists.fedoraproject.org
I want to, amongst other things, qury our Active Directory server for passwords. So use 389 as a directory server (using NIS scheme and netgroups) with AD passwords.
Problem is... our AD uses usernames of First Last and a kerberos principle of first.last. Where as the unix (linux, AIX, HPUX, Solaris) boxes use 8char usernames.
The password sync stuff I've seen isn't very clear. Does the AD samAccountName have to be the same as the unix username? Or is there somewhere on 389 or on AD where I can do a lookup?
This http://docs.redhat.com/docs/en- US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html seems to say there's a field ntUserDomainId that would do that job, is that used in the sync?
Is there any documentation on setting this up?
Zebee
389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
I use long 8+ usernames in the common first.last in Redhat and Solaris with no problem, it works just fine (I have done this for ~8 years now). The only issue I've ever seen is 'top' and 'ps' don't like it, so you see the UID# instead of the username.
-Brandon
On 01/20/2011 06:43 PM, Zebee Johnstone wrote:
I want to, amongst other things, qury our Active Directory server for passwords. So use 389 as a directory server (using NIS scheme and netgroups) with AD passwords.
Problem is... our AD uses usernames of First Last and a kerberos principle of first.last. Where as the unix (linux, AIX, HPUX, Solaris) boxes use 8char usernames.
The password sync stuff I've seen isn't very clear. Does the AD samAccountName have to be the same as the unix username? Or is there somewhere on 389 or on AD where I can do a lookup?
This http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administ... seems to say there's a field ntUserDomainId that would do that job, is that used in the sync?
Is there any documentation on setting this up?
Zebee
389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
389-users@lists.fedoraproject.org