Getting AD Lookup to work without UNIX Attributes tab
The previous post talks about how to get the UNIX Attributes tab to work without installing IdMU components. In this post, I would like to talk about what attributes the NFS components expect to be populated in AD for user and group object before it can recognize them and use the information.
The UNIX Attributes tab populate a lot of other attributes because it is primarily designed to assist administrators to populate the attributes that are needed to build the NIS maps - NFS components look up just the uidNumber and gidNumber attributes for a user and the gidNumber attribute in case of a group. None of the other attributes are required to have any values.
If we leave the UNIX Attributes tab, we have two options to populate these attributes - programmatically or using ADSIEdit MMC snap-in.
Using ADSIEdit snap-in can be feasible when you don't have a lot of objects to work with and it's not repeatative. Follow the steps below to populate these attributes using ADSIEdit -
You're done.
There are several programmatical methods available to do this. Following is a vbs script that I use for my tests -
On Error Resume Next 'Seting base DN hereSet objRootDSE = GetObject ("LDAP://rootDSE")strBase = "<LDAP://" & objRootDSE.Get ("defaultNamingContext")&">;" 'Getting parameters and setting variables for later useIf WScript.Arguments.Count = 2 then objType = "group" samID = WScript.Arguments(0) gidNumber = WScript.Arguments(1)ElseIf WScript.Arguments.Count = 3 Then objType = "user" samID = WScript.Arguments(0) uidNumber = WScript.Arguments(1) gidNumber = WScript.Arguments(2)Else Wscript.Echo "Error: Insufficient Parameters" Wscript.QuitEnd If 'Wscript.Echo objType & " " & samID & " " & uidNumber & " " & gidNumber 'Searching for the user in ADWscript.Echo "Searching for the object..."strFilter="(&(objectClass=" & objType & ")(SamAccountName=" & samID & "));"strAttrs="distinguishedname;"strScope="SubTree"Set objCon = CreateObject("ADODB.Connection")objCon.Provider = "ADSDSOOBJECT"objCon.Open "Active Directory Provider"Set objRes = objCon.Execute(strBase & strFilter & strAttrs & strScope) strDN = objRes.Fields("distinguishedname").ValueIf Err.Number Then WScript.Echo "Error: No " & objType & " with name " & samID & " found." WScript.QuitEnd If set objDN = GetObject("LDAP://" & strDN) 'Writing information to the objectWscript.Echo "Writing new values to AD..."If objType = "user" Then objDN.Put "uidNumber", uidNumber objDN.Put "gidNumber", gidNumber objDN.SetInfoElseIf objType = "group" Then objDN.Put "gidNumber", gidNumber objDN.SetInfoEnd If 'Fetch and display the newly updated UNIX values from ADWscript.Echo "Fetching new values from AD..."Wscript.Echo " samAccountName : " & objDN.Get("cn")If objType = "user" Then Wscript.Echo " uidNumber : " & objDN.Get("uidNumber")Wscript.Echo " gidNumber : " & objDN.Get("gidNumber") 'Clean upSet objRes = nothing
On Error Resume Next
'Seting base DN hereSet objRootDSE = GetObject ("LDAP://rootDSE")strBase = "<LDAP://" & objRootDSE.Get ("defaultNamingContext")&">;"
'Getting parameters and setting variables for later useIf WScript.Arguments.Count = 2 then objType = "group" samID = WScript.Arguments(0) gidNumber = WScript.Arguments(1)ElseIf WScript.Arguments.Count = 3 Then objType = "user" samID = WScript.Arguments(0) uidNumber = WScript.Arguments(1) gidNumber = WScript.Arguments(2)Else Wscript.Echo "Error: Insufficient Parameters" Wscript.QuitEnd If
'Wscript.Echo objType & " " & samID & " " & uidNumber & " " & gidNumber 'Searching for the user in ADWscript.Echo "Searching for the object..."strFilter="(&(objectClass=" & objType & ")(SamAccountName=" & samID & "));"strAttrs="distinguishedname;"strScope="SubTree"Set objCon = CreateObject("ADODB.Connection")objCon.Provider = "ADSDSOOBJECT"objCon.Open "Active Directory Provider"Set objRes = objCon.Execute(strBase & strFilter & strAttrs & strScope)
strDN = objRes.Fields("distinguishedname").ValueIf Err.Number Then WScript.Echo "Error: No " & objType & " with name " & samID & " found." WScript.QuitEnd If
set objDN = GetObject("LDAP://" & strDN)
'Writing information to the objectWscript.Echo "Writing new values to AD..."If objType = "user" Then objDN.Put "uidNumber", uidNumber objDN.Put "gidNumber", gidNumber objDN.SetInfoElseIf objType = "group" Then objDN.Put "gidNumber", gidNumber objDN.SetInfoEnd If 'Fetch and display the newly updated UNIX values from ADWscript.Echo "Fetching new values from AD..."Wscript.Echo " samAccountName : " & objDN.Get("cn")If objType = "user" Then Wscript.Echo " uidNumber : " & objDN.Get("uidNumber")Wscript.Echo " gidNumber : " & objDN.Get("gidNumber")
'Clean upSet objRes = nothing
Disclaimer: This sample is provided as is and is not meant for use on a production environment. It is provided only for illustrative purposes. The end user must test and modify the sample to suit their target environment. This code is provided here only as a convenience to you. No representations can be regarding the quality, safety, or suitability of any code or information found here.
Copy the code and save it in a file with .vbs extension. Following is the sytax that you can use to start using it -
To modify user objects -
C:\>cscript <scriptname.vbs> samAccountName uidNumber gidNumber
To modify group objects -
C:\>cscript <scriptname.vbs> samAccountName gidNumber
It takes a call to modify a user or a group object based on the number of parameters that you pass. Once, it has written the values to uidNumber/gidNumber attributes, it reads the values again and prints them to the console. It does NOT provide an option to selectively modify uidNumber or gidNumber attribute of a user object - you need to still supply both the parameters to this script.