Saturday, January 24, 2009

OpenSolaris 2008.11, Windows 2003 Server, and MS SFU 3.5

According to the BigAdmin article Using Kerberos to Authenticate a Solaris 10 OS LDAP Client With Microsoft Active Directory it is pretty straight-forward getting a Solaris box to authenticate with Active Directory R2 if you have the Unix ID management schema extensions, but interoperability with AD/SFU 3.5 has one major flaw: group mapping.

In a few words, SFU 3.5 does add a UNIX Attributes tab to Windows groups and it does allow mapping UNIX user accounts to that group. Where it fails is in populating the msSFU30MemberUid attribute when a user is added to the group. Instead, the field that's populated is msSFU30PosixMember which for our purpose is worthless as it contains an array of AD user DNs, not the shorter sAMAccountName that we need for UNIX group mapping.

I found a few articles which I neglected to bookmark so I can't easily reference at the moment that recognized this shortcoming as well and recommended manually updating group membership via Microsoft's ADSIEdit mmc snap-in. That would be OK, I guess, for limited changes once in a while, but not reliable by any stretch of the immagination.

What I've come up with (with the help of the good folks at ActiveXperts.com) is a short VBScript that reads the msSFU30PosixMember attributes for a group and populates the msSFU30MemberUid attributes accordingly. Ideally, this script should be executed any time group membership changes. If anyone has suggestions on how to make this better or automated, I'd love to hear them.

If you use this script, keep in mind that it performs a replacement of any existing msSFU30MemberUid attributes. You have been warned.


On Error Resume Next
Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D
Const ADS_PROPERTY_REPLACE = 2
Set objOUGroups = GetObject _
("LDAP://cn=Users,dc=jetheaddev,dc=com")

ObjOUGroups.Filter = Array("group")

For Each objGroup in objOUGroups
Set hasPosxiMembers = objGroup.GetEx _
("msSFU30PosixMember")
If Err.Number <> E_ADS_PROPERTY_NOT_FOUND Then
WScript.Echo "Updating group " _
& objGroup.msSFU30Name & "..."
arrMembers = objGroup.GetEx("msSFU30PosixMember")

Dim numMembers
numMembers = -1
Dim members()
For Each User in arrMembers
numMembers = numMembers + 1
redim preserve members(numMembers)
Set objUser = GetObject ("LDAP://" & User)
members(numMembers) = objUser.sAMAccountName
Next
objGroup.PutEx ADS_PROPERTY_REPLACE, _
"msSFU30MemberUid", members
objGroup.SetInfo
numMembers = -1
Else
Err.Clear
End If
Next

No comments:

Post a Comment