username rewriting option for authentication

Marc Lanctot marc.lanctot at mail.mcgill.ca
Wed Dec 15 15:03:12 GMT 2004


Gerald (Jerry) Carter wrote:
> 
> Why can't you just use a username map ?  I expect your
> approach would hit a wall when dealing with kerberos
> tickets since you can't modify the user name.
>

Well, from what it seems like the username map maps authentication names 
to local users which is not at all what I want (see example below). As 
for kerberos, I'd used the rewritten username for the ticket and 
authentication.

One thing I've looked at is XSSO's pam_get_mapped_username which allows 
the requested usernames to be mapped by the pam modules themselves, 
which would solve the problem. I could add the functionality to 
pam_winbind, but alas, the Linux version of PAM doesn't yet support 
pam_get_mapped_username().

> One thing that is unclear in your mail is an example of
> of a sAMAccountName and the bindDN that you wish to use.

Ok, I'll give the same example I gave on the samba list. Currently, to 
login as a username on my Linux machine I must use the username: 
ADSDOMAIN+username1, where username1 is my sAMAccountName. But the 
binddn I use to do LDAP searches is username2 (in our case, our email 
address). I'd like to be able to login to my Linux machine using 
username2 which gets rewritten to username1 for authentication.

It doesn't really matter if the uid ends up being the 
ADSDOMAIN+sAMAccountName after the authentication is done, but our users 
don't know what their sAMAccountNames are and we're approaching a single 
sign-on approach; all of our other services use the email address for 
authentication, and we'd like it if we could get our Linux machines to 
conform.

Marc


More information about the samba-technical mailing list