UID and CN attributes. Linux needs UID and Windows Needs CN

  • 391 Views
  • Last Post 04 April 2017
BrianB posted this 03 April 2017

I have a project where I want to get rid of our existing Oracle LDAP and consolidate into AD. We have *Nix apps that require some POSIX attributes to be populated, specifically UID and GIDNUMBER. We have those attributes loaded in our test AD deployment and I can populate them manually. However, there is only one distinguishedName attribute that is populated with “CN=” rather than “UID=”. When an *nix system want to query the LDAP environment it uses “UID=bob,cn=people,dc=domain,dc=com.” When I try to locate the user in AD for UID= with powershell “get-aduser –identity uid=bob,cn=users,dc=domain,dc=com” I get object not found. I realize that the DN is not using UID.

  Now I need to service both Windows and *Nix systems using CN and UID. Is there a way to reference an object by using either of those to get the same user for an LDAPQuery?   Brian Britt        

Order By: Standard | Newest | Votes
bdesmond posted this 03 April 2017

The UID isn’t the RDN in AD so this won’t work. Putting AD LDS in front of AD with bind Proxies could be a solution here.



 



Thanks,

Brian Desmond

 

w – 312.625.1438 | c – 312.731.3132



 

show

BrianB posted this 03 April 2017

Is UID a required attribute for LINUX as much as say GIDNUMBER? Cant Unix use CN= for the lookup and still use GIDNUMBER? It would just take some changes to the UNIX app’s config from UID= to CN=. However, I

do realize how much anyone hates to go change an obscure setting in a config file, but I was hoping to avoid building another LDAP in place of the existing one.



 

Do you by change know a URL link to the option you specified?



 

Brian Britt

 

show

bdesmond posted this 03 April 2017

I don’t know offhand what your AuthN stack/apps will need on the host side. I certainly have seen this work just fine with AD and the CN as the RDN so presumably there’s

changes you can make on the hosts/apps to support this.

 



Thanks,

Brian Desmond

 

w – 312.625.1438 | c – 312.731.3132



 

show

BrianB posted this 03 April 2017

I just found the article “Bind to an AD LDS Instance Through a Proxy Object”. What is unclear to me is if I need a

Proxy object for each user in the Directory or just one proxy for all users. Is it a 1:Many proxy object or a 1:1 object. I have several thousand potential objects that would need to be looked up via UID so, this could be a nightmare

to import SIDs into each and every AD LDSP proxy object if 1:1. I am also unsure of how this would solve the lookup of UID vs CN. Will you explain a little further, please?


 

Brian

 

 

 

 

show

Mahdi posted this 03 April 2017











Not sure how helpful can it be, but what do you think about having a custom attribute which holds UID and then run a powershell script to replicate DN to UID on hourly basis?










Sent from my BlackBerry 10 smartphone.















show











I have a project where I want to get rid of our existing Oracle LDAP and consolidate into AD. We have *Nix apps that require some POSIX attributes to be populated, specifically UID and GIDNUMBER. We have those attributes loaded in our test

AD deployment and I can populate them manually. However, there is only one distinguishedName attribute that is populated with “CN=” rather than “UID=”. When an *nix system want to query the LDAP environment it uses “UID=bob,cn=people,dc=domain,dc=com.” When

I try to locate the user in AD for UID= with powershell “get-aduser –identity uid=bob,cn=users,dc=domain,dc=com” I get object not found. I realize that the DN is not using UID.



 

Now I need to service both Windows and *Nix systems using CN and UID. Is there a way to reference an object by using either of those to get the same user for an LDAPQuery?

 

Brian Britt

 

 

 

 

bdesmond posted this 03 April 2017

It’s 1:1. You would need a provisioning and sync mechanism. Your bind proxy would have an RDN of UID. So UID=Brian.Britt with whatever other attributes the app/host needs

shadowed on it. The proxy would point to the SID of your AD account so authentication would still happen inside AD.



 



Thanks,

Brian Desmond

 

w – 312.625.1438 | c – 312.731.3132



 

show

barkills posted this 03 April 2017

Is this is a case where the unix app won’t/can’t leverage the platform id mapping mechanisms?

 

The /etc/nslcd.conf file (where e.g. you can map uid to samAccountName) is described in section 6.4.4 of the Integrating Red Hat Enterprise Linux 6 with Active Directory whitepaper



http://www.redhat.com/en/files/resources/en-rhel-intergrating-rhel-6-active-directory.pdf?



 

I reference this paper because of all the resources I’ve found on this topic of unix to AD integration, it seems to be the only one which has longevity, a comprehensive list of a variety of solutions, and accuracy.

I wish Microsoft had a similar authoritative reference document. L

 

Just wondering out loud if the solution is the directory or the client …

J

 

Brian

 

show

BrianB posted this 03 April 2017

Great question Brian. I think this can be solved at the client level, though they will not like it, if they can specify cn= for the resource ID opposed to UID. As far as the query goes, I think it will be an

actual LDAP query where “(&(objectclass=user)(uid=something)(customattribute=whatIamreallyfiltering_for))”

 

The problem is getting App owners or Unix Admins to change their configs for potentially hundreds of systems. So if I can solve the problem at the directory, then they will not have to modify so many configs.



 

Brian Britt

 

show

yawpee posted this 04 April 2017

Hello  Brian ,




My name Yaw, I had privilege  working with you at CSUN around 2007. I  have quick question on the design of AD forest.

I have company who  has already registered a public  domain , they require me  design  AD enviromenent to be able to use exchange 2013.











show

Close