Getting AD Lookup to work without UNIX Attributes tab

  • Article

Getting AD Lookup to work without UNIX Attributes tab

The previous post talks about how to get the UNIX Attributes tab to work without installing IdMU components. In this post, I would like to talk about what attributes the NFS components expect to be populated in AD for user and group object before it can recognize them and use the information.

The UNIX Attributes tab populate a lot of other attributes because it is primarily designed to assist administrators to populate the attributes that are needed to build the NIS maps - NFS components look up just the uidNumber and gidNumber attributes for a user and the gidNumber attribute in case of a group. None of the other attributes are required to have any values.

If we leave the UNIX Attributes tab, we have two options to populate these attributes - programmatically or using ADSIEdit MMC snap-in.

 Using ADSIEdit snap-in can be feasible when you don't have a lot of objects to work with and it's not repeatative. Follow the steps below to populate these attributes using ADSIEdit -

  • In the Run... dialog box, type ADSIEdit.msc and press Enter
  • Right click on the ADSI Edit item in the snap-in and select Connect to...
  • Under the Connection Point section, check the Select a well known Naming Context radio button and from the drop down box, select Default naming context and click on OK
  • Expand Default naming context and then your domain container
  • Locate the user or group object that you want to work with
  • Right click on the object and select Properties
  • Now, in the Attribute Editor tab, locate the uidNumber (not in case of a group) and gidNumber attributes and populate them with the desired values. Now click on OK on save the values.

You're done.

There are several programmatical methods available to do this. Following is a vbs script that I use for my tests -

On Error Resume Next

'Seting base DN here
Set objRootDSE = GetObject ("LDAP://rootDSE")
strBase = "<LDAP://" & objRootDSE.Get ("defaultNamingContext")&">;"

'Getting parameters and setting variables for later use
If WScript.Arguments.Count = 2 then
objType = "group"
samID = WScript.Arguments(0)
gidNumber = WScript.Arguments(1)
ElseIf WScript.Arguments.Count = 3 Then
objType = "user"
samID = WScript.Arguments(0)
uidNumber = WScript.Arguments(1)
gidNumber = WScript.Arguments(2)
Else
Wscript.Echo "Error: Insufficient Parameters"
Wscript.Quit
End If

'Wscript.Echo objType & " " & samID & " " & uidNumber & " " & gidNumber

'Searching for the user in AD
Wscript.Echo "Searching for the object..."
strFilter="(&(objectClass=" & objType & ")(SamAccountName=" & samID & "));"
strAttrs="distinguishedname;"
strScope="SubTree"
Set objCon = CreateObject("ADODB.Connection")
objCon.Provider = "ADSDSOOBJECT"
objCon.Open "Active Directory Provider"
Set objRes = objCon.Execute(strBase & strFilter & strAttrs & strScope)

strDN = objRes.Fields("distinguishedname").Value
If Err.Number Then
WScript.Echo "Error: No " & objType & " with name " & samID & " found."
WScript.Quit
End If

set objDN = GetObject("LDAP://" & strDN)

'Writing information to the object
Wscript.Echo "Writing new values to AD..."
If objType = "user" Then
objDN.Put "uidNumber", uidNumber
objDN.Put "gidNumber", gidNumber
objDN.SetInfo
ElseIf objType = "group" Then
objDN.Put "gidNumber", gidNumber
objDN.SetInfo
End If

'Fetch and display the newly updated UNIX values from AD
Wscript.Echo "Fetching new values from AD..."
Wscript.Echo " samAccountName : " & objDN.Get("cn")
If objType = "user" Then Wscript.Echo " uidNumber : " & objDN.Get("uidNumber")
Wscript.Echo " gidNumber : " & objDN.Get("gidNumber")

'Clean up
Set objRes = nothing

Disclaimer: This sample is provided as is and is not meant for use on a production environment. It is provided only for illustrative purposes. The end user must test and modify the sample to suit their target environment. This code is provided here only as a convenience to you. No representations can be regarding the quality, safety, or suitability of any code or information found here.

Copy the code and save it in a file with .vbs extension. Following is the sytax that you can use to start using it -

To modify user objects - 

C:\>cscript <scriptname.vbs> samAccountName uidNumber gidNumber

To modify group objects -

C:\>cscript <scriptname.vbs> samAccountName gidNumber

It takes a call to modify a user or a group object based on the number of parameters that you pass. Once, it has written the values to uidNumber/gidNumber attributes, it reads the values again and prints them to the console. It does NOT provide an option to selectively modify uidNumber or gidNumber attribute of a user object - you need to still supply both the parameters to this script.