username rewriting option for authentication
Marc Lanctot
marc.lanctot at mail.mcgill.ca
Wed Dec 15 15:03:12 GMT 2004
Gerald (Jerry) Carter wrote:
>
> Why can't you just use a username map ? I expect your
> approach would hit a wall when dealing with kerberos
> tickets since you can't modify the user name.
>
Well, from what it seems like the username map maps authentication names
to local users which is not at all what I want (see example below). As
for kerberos, I'd used the rewritten username for the ticket and
authentication.
One thing I've looked at is XSSO's pam_get_mapped_username which allows
the requested usernames to be mapped by the pam modules themselves,
which would solve the problem. I could add the functionality to
pam_winbind, but alas, the Linux version of PAM doesn't yet support
pam_get_mapped_username().
> One thing that is unclear in your mail is an example of
> of a sAMAccountName and the bindDN that you wish to use.
Ok, I'll give the same example I gave on the samba list. Currently, to
login as a username on my Linux machine I must use the username:
ADSDOMAIN+username1, where username1 is my sAMAccountName. But the
binddn I use to do LDAP searches is username2 (in our case, our email
address). I'd like to be able to login to my Linux machine using
username2 which gets rewritten to username1 for authentication.
It doesn't really matter if the uid ends up being the
ADSDOMAIN+sAMAccountName after the authentication is done, but our users
don't know what their sAMAccountNames are and we're approaching a single
sign-on approach; all of our other services use the email address for
authentication, and we'd like it if we could get our Linux machines to
conform.
Marc
More information about the samba-technical
mailing list