I'm trying to setup authentication from Active Directory in FreeBSD 10.0 using nslcd (nss-pam-ldapd-sasl package) and would like to allow both sAMAccountName and userPrincipalName as valid login attributes in the server.
I don't know if it's possible to use this specific configuration.
Here are my actual mappings in /usr/loca/etc/nslcd.conf
# Do not allow uids lower than 1000 to login (aka Administrator)
nss_min_uid 1000
# Disallow disabled accounts to login
pam_authz_search (!(userAccountControl:1.2.840.113556.1.4.803:=2))
#filter passwd (&(objectClass=user)(!(objectClass=computer)))
#map passwd uid sAMAccountName
filter passwd (&(objectClass=user)(userPrincipalName=*)(!(objectClass=computer)))
map passwd uid userPrincipalName
map passwd uidNumber objectSid:S-1-5-21-NULL-NULL-NULL
map passwd gidNumber primaryGroupID
map passwd gecos displayName
map passwd homeDirectory "${unixHomeDirectory:-/home/$sAMAccountName}"
map passwd loginShell "${loginShell:-/bin/tcsh}"
filter group (objectClass=group)
map group cn sAMAccountName
map group gidNumber objectSid:S-1-5-21-NULL-NULL-NULL
I'm not sure if I should modify nslcd or what I'm looking should be achieved with pam.
Thanks in advance.
0 Answers