On Mon, 11 Oct 2010 08:42:58 -0400
Stephen Gallagher <sgallagh(a)redhat.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/11/2010 08:35 AM, Patrick Grieshaber wrote:
>> Thank you very much for the SUA hint. The auth works now :-).
>
>> But still ldap_schema = rfc2307bis was not enough information.
>> I had to adjust:
>> - ldap_user_name = sAMAccountName
>> - ldap_user_object_class = person
>> - ldap_user_uid_number = uSNCreated
>> - ldap_user_gid_number = logonCount
>
>> I want a unique uid (by default it takes the value of the attribute
>> userAccountControll - not unique!). uSNCreated is a unique
>> attribute value in AD. Unforunately sssd auth does not work if
>> ldap_user_gid_number has the same attribute as value as
>> ldap_user_uid_number.. I am still looking for a sensual attribute.
try:
ldap_user_uid_number = msSFU30UidNumber
ldap_user_gid_number = msSFU30GidNumber
Also, you probably want:
ldap_user_name = msSFU30Name
I'm guessing you're using an older ActiveDirectory, so chances are
this is the more-or-less complete set of attributes you want:
ldap_schema = rfc2307bis
ldap_user_object_class = person
ldap_user_name = msSFU30Name
ldap_user_uid_number = msSFU30UidNumber
ldap_user_gid_number = msSFU30GidNumber
ldap_user_home_directory = msSFU30HomeDirectory
ldap_user_shell = msSFU30LoginShell
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_name = msSFU30Name
ldap_group_gid_number = msSFU30GidNumber
ldap_force_upper_case_realm = True
Just an FYI, newer AD servers use the standard rfc2307 attribute names,
so if Services For Unix (or whatever new name they have for it) is
installed all you need to map is ldap_user_name to samAccoutnName and
probably set the ldap_force_upper_case_realm.
You also most probably want to use "ldap_user_object_class = user",
person would match stuff you do not want to match.
Simo.
--
Simo Sorce * Red Hat, Inc * New York