I want to, amongst other things, qury our Active Directory server for passwords. So use 389 as a directory server (using NIS scheme and netgroups) with AD passwords.

Problem is... our AD uses usernames of First Last and a kerberos principle of first.last. Where as the unix (linux, AIX, HPUX, Solaris) boxes use 8char usernames.

The password sync stuff I've seen isn't very clear. Does the AD samAccountName have to be the same as the unix username? Or is there somewhere on 389 or on AD where I can do a lookup?

This http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html seems to say there's a field ntUserDomainId that would do that job, is that used in the sync?

Is there any documentation on setting this up?

Zebee
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Yes, directory servers winsync maps AD's samAccountName to uid on LDAP-DS, and Unix use the uid attribute for login name. It is not necessary to use kerberos authentication of AD, if you sync passwords between AD and DS with winsync.

Carsten
----- Ursprüngliche Nachricht -----
Von: Zebee Johnstone <Zebee.Johnstone@optus.com.au>
Datum: Freitag, 21. Januar 2011, 2:43
Betreff: [389-users] Mapping AD names to unix names
An: "'389-users@lists.fedoraproject.org'" <389-users@lists.fedoraproject.org>

> I want to, amongst other things,* qury our Active Directory
> server for passwords.* So use 389 as a directory server
> (using NIS scheme and netgroups) with AD passwords.
>
> Problem is... our AD uses usernames of First Last and a kerberos
> principle of first.last.* Where as the unix (linux, AIX,
> HPUX, Solaris) boxes use 8char usernames.
>
> The password sync stuff I've seen isn't very clear.* Does
> the AD samAccountName have to be the same as the unix
> username?* Or is there somewhere on 389 or on AD where I
> can do a lookup?
>
> This http://docs.redhat.com/docs/en-
> US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html seems to say there's a field ntUserDomainId that would do that job, is that used in the sync?
>
> Is there any documentation on setting this up?
>
> Zebee
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

I use long 8+ usernames in the common first.last in Redhat and Solaris
with no problem, it works just fine (I have done this for ~8 years
now). The only issue I've ever seen is 'top' and 'ps' don't like it, so
you see the UID# instead of the username.

-Brandon


On 01/20/2011 06:43 PM, Zebee Johnstone wrote:
> I want to, amongst other things, qury our Active Directory server for passwords. So use 389 as a directory server (using NIS scheme and netgroups) with AD passwords.
>
> Problem is... our AD uses usernames of First Last and a kerberos principle of first.last. Where as the unix (linux, AIX, HPUX, Solaris) boxes use 8char usernames.
>
> The password sync stuff I've seen isn't very clear. Does the AD samAccountName have to be the same as the unix username? Or is there somewhere on 389 or on AD where I can do a lookup?
>
> This http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html seems to say there's a field ntUserDomainId that would do that job, is that used in the sync?
>
> Is there any documentation on setting this up?
>
> Zebee
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users