[Date Prev][Date Next] [Chronological] [Thread] [Top]

openldap rewrite 2307 group attribute

To: openldap-software@OpenLDAP.org
Subject: openldap rewrite 2307 group attribute
From: Tyson Lambert <tj.lambert@gmail.com>
Date: Tue, 7 Dec 2004 17:12:48 -0800
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=cGFnakPPa8o/crLZVJp9GOSoNuwK4gAcfYz0hwzQWwVmPjuO8tPxAsfIne6ymDr0flAJWRBX270il+9K3+uVvUCXqZYELngqXyjXyhnPX0UaFFSNDF65ABXRY2ujztDHyO4xoSpNem7coKtGj6xq8c3IiNQW2yqfIqRh3GWGMms=

Hello,

I'm trying to translate an attribute in active directory to one I can
use with my unix boxen.  Right now I'm using attribute mappings in
much the same fasion as padl's nss_ldap module which is working great
except for the posix group attribute.  My AD server stores unix groups
like so in an object class

Group:

 msSFU30PosixMember=CN=nixuser,CN=Users,DC=circus,DC=test,DC=com
 msSFU30PosixMember=CN=nixuser2,CN=Users,DC=circus,DC=test,DC=com
 msSFU30PosixMember=CN=turkey,CN=Users,DC=circus,DC=test,DC=com

What I need is:

posixGroup:

 memberuid=nixuser
 memberuid=nixuser2
 memberuid=turkey

With an attribute map from msSFU30PosixMember to memberuid I get this
using getent group:

 nixtest:x:900:CN=turkey,CN=Users,DC=circus,DC=test,DC=com,CN=nixuser,CN=
 Users,DC=circus,DC=test,DC=com,nixuser2,CN=Users,DC=circus,DC=test,DC=com

and what I'm looking for obviously is:

 nixtest:x:900:turkey,nixuser,nixuser2

Can someone point me in the right direction for a rewrite rule that
can strip the DN off of user names?  I haven't quite figured out how
to make a rule specific to just one type of attribute.

Here is the rest of my configuration file.  Other than the secondary
groups it's working between active directory and aix, hpux, solaris
and linux pretty well:

include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/ad.schema

database        ldap

# URI for our ADSI server
uri             "ldap://ringmaster.circus.burlingame.ibm.com/";

lastmod         off
rewriteEngine   on

# back-ldap
suffix          "dc=tent,dc=burlingame,dc=ibm,dc=com"
# this isn't essential in my set up
suffixmassage   "dc=tent,dc=burlingame,dc=ibm,dc=com" "CN=Users,DC=circus,DC=bur
lingame,DC=ibm,DC=com"

map objectclass posixAccount User
map objectclass posixGroup Group
map objectclass shadowAccount organizationalPerson
map attribute   uid msSFU30Name
map attribute   uidNumber msSFU30UidNumber
map attribute   gidNumber msSFU30GidNumber
map attribute   cn sAMAccountName
map attribute   memberuid msSFU30PosixMember
map attribute   userPassword msSFU30Password
map attribute   homeDirectory msSFU30HomeDirectory
map attribute   loginShell msSFU30LoginShell
map attribute   gecos name
map attribute   shadowflag msSFU30ShadowFlag

Thanks!

-ty

Follow-Ups:
- Re: openldap rewrite 2307 group attribute
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Error when starting Openldap
Next by Date: How-to secure PosixAccount attr ?
Index(es):
- Chronological
- Thread