Project

General

Profile

Actions

Feature #10990

closed

Get UNIX group info. from AD/LDAP with partial RFC2307 schema

Added by Gordon Ross about 2 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
-
Start date:
2019-05-14
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:

Description

RFC2307 (https://www.ietf.org/rfc/rfc2307.txt) defines the expected fields within LDAP that should be present to allow UNIX systems to use LDAP as a naming service. This is a well documented and accepted RFC for UNIX and Storage vendors alike.

These extensions are typically added into Active Directory by installing IDMU on the Windows DC and are commonly used in the field to facilitate Windows to Unix mapping of users and groups as well as being required to workaround the 16-group NFS limitation as outlined in http://www.xkyle.com/solving-the-nfs-16-group-limit-problem/ and NEX-1974.

Certain customer environments may not have fully implemented RFC2307 for historical reasons and instead rely on 3rd party software (Vintela or Centrify) for bridging the gap and allowing UNIX/Linux to use Active Directory to provide User and Group membership.

The end result of this is that certain fields may be missing or named differently or contain different information. For renamed fields this can be worked around by setting the attributemap option to the ldapclient command. Missing fields are far more problematic.


Related issues

Related to illumos gate - Bug #12240: nss_ldap does not properly look up group members by distinguished nameClosed

Actions
Actions

Also available in: Atom PDF