UID and CN attributes. Linux needs UID and Windows Needs CN

  • 354 Views
  • Last Post 04 April 2017
BrianB posted this 03 April 2017

I have a project where I want to get rid of our existing Oracle LDAP and consolidate into AD. We have *Nix apps that require some POSIX attributes to be populated, specifically UID and GIDNUMBER. We have those attributes loaded in our test AD deployment and I can populate them manually. However, there is only one distinguishedName attribute that is populated with “CN=” rather than “UID=”. When an *nix system want to query the LDAP environment it uses “UID=bob,cn=people,dc=domain,dc=com.” When I try to locate the user in AD for UID= with powershell “get-aduser –identity uid=bob,cn=users,dc=domain,dc=com” I get object not found. I realize that the DN is not using UID.

  Now I need to service both Windows and *Nix systems using CN and UID. Is there a way to reference an object by using either of those to get the same user for an LDAPQuery?   Brian Britt        

Order By: Standard | Newest | Votes
yawpee posted this 04 April 2017

Hello  Brian ,




My name Yaw, I had privilege  working with you at CSUN around 2007. I  have quick question on the design of AD forest.

I have company who  has already registered a public  domain , they require me  design  AD enviromenent to be able to use exchange 2013.











show

BrianB posted this 03 April 2017

Great question Brian. I think this can be solved at the client level, though they will not like it, if they can specify cn= for the resource ID opposed to UID. As far as the query goes, I think it will be an

actual LDAP query where “(&(objectclass=user)(uid=something)(customattribute=whatIamreallyfiltering_for))”

 

The problem is getting App owners or Unix Admins to change their configs for potentially hundreds of systems. So if I can solve the problem at the directory, then they will not have to modify so many configs.



 

Brian Britt

 

show

barkills posted this 03 April 2017

Is this is a case where the unix app won’t/can’t leverage the platform id mapping mechanisms?

 

The /etc/nslcd.conf file (where e.g. you can map uid to samAccountName) is described in section 6.4.4 of the Integrating Red Hat Enterprise Linux 6 with Active Directory whitepaper



http://www.redhat.com/en/files/resources/en-rhel-intergrating-rhel-6-active-directory.pdf?



 

I reference this paper because of all the resources I’ve found on this topic of unix to AD integration, it seems to be the only one which has longevity, a comprehensive list of a variety of solutions, and accuracy.

I wish Microsoft had a similar authoritative reference document. L

 

Just wondering out loud if the solution is the directory or the client …

J

 

Brian

 

show

bdesmond posted this 03 April 2017

It’s 1:1. You would need a provisioning and sync mechanism. Your bind proxy would have an RDN of UID. So UID=Brian.Britt with whatever other attributes the app/host needs

shadowed on it. The proxy would point to the SID of your AD account so authentication would still happen inside AD.



 



Thanks,

Brian Desmond

 

w – 312.625.1438 | c – 312.731.3132



 

show

Mahdi posted this 03 April 2017











Not sure how helpful can it be, but what do you think about having a custom attribute which holds UID and then run a powershell script to replicate DN to UID on hourly basis?










Sent from my BlackBerry 10 smartphone.















show











I have a project where I want to get rid of our existing Oracle LDAP and consolidate into AD. We have *Nix apps that require some POSIX attributes to be populated, specifically UID and GIDNUMBER. We have those attributes loaded in our test

AD deployment and I can populate them manually. However, there is only one distinguishedName attribute that is populated with “CN=” rather than “UID=”. When an *nix system want to query the LDAP environment it uses “UID=bob,cn=people,dc=domain,dc=com.” When

I try to locate the user in AD for UID= with powershell “get-aduser –identity uid=bob,cn=users,dc=domain,dc=com” I get object not found. I realize that the DN is not using UID.



 

Now I need to service both Windows and *Nix systems using CN and UID. Is there a way to reference an object by using either of those to get the same user for an LDAPQuery?

 

Brian Britt

 

 

 

 

BrianB posted this 03 April 2017

I just found the article “Bind to an AD LDS Instance Through a Proxy Object”. What is unclear to me is if I need a

Proxy object for each user in the Directory or just one proxy for all users. Is it a 1:Many proxy object or a 1:1 object. I have several thousand potential objects that would need to be looked up via UID so, this could be a nightmare

to import SIDs into each and every AD LDSP proxy object if 1:1. I am also unsure of how this would solve the lookup of UID vs CN. Will you explain a little further, please?


 

Brian

 

 

 

 

show

bdesmond posted this 03 April 2017

I don’t know offhand what your AuthN stack/apps will need on the host side. I certainly have seen this work just fine with AD and the CN as the RDN so presumably there’s

changes you can make on the hosts/apps to support this.

 



Thanks,

Brian Desmond

 

w – 312.625.1438 | c – 312.731.3132



 

show

BrianB posted this 03 April 2017

Is UID a required attribute for LINUX as much as say GIDNUMBER? Cant Unix use CN= for the lookup and still use GIDNUMBER? It would just take some changes to the UNIX app’s config from UID= to CN=. However, I

do realize how much anyone hates to go change an obscure setting in a config file, but I was hoping to avoid building another LDAP in place of the existing one.



 

Do you by change know a URL link to the option you specified?



 

Brian Britt

 

show

bdesmond posted this 03 April 2017

The UID isn’t the RDN in AD so this won’t work. Putting AD LDS in front of AD with bind Proxies could be a solution here.



 



Thanks,

Brian Desmond

 

w – 312.625.1438 | c – 312.731.3132



 

show

Close