Administering ID mapping


Assume the ID mapping scheme is ``idmp'' and g_name has the form ``M1@M2.M3'', where ``M1'' indicates the user's login. The following command line transparently maps all users on the remote system man in the domain moon. All users are mapped to the local login guest.

idadmin -S idmp -a -l guest -r "*@man.moon"

NOTE: To protect characters that are meaningful to the shell, enclose global names in quotes.

If you enter * in place of the remote user name and %1 in place of logname on the idadmin command line, you map all remote logins to the same values indicated in ``M1''. Assume the authentication scheme is called cr2 and the format descriptor is ``M2:M1''.

If you want to map all logins on pluto to identical logins on your machine, you would enter

idadmin -S cr2 -a -l %1 -r "pluto:*"

In this example, user bob on the remote system would be mapped to bob on the local system; johnd on the remote system would be mapped to johnd, and so on.

In the next example, assume you want to map all logins on remote system mars to identical logins on your system, with the exception of the remote login guest. Assuming cr1 is the authentication scheme, the map must contain the following pair of entries:

   guest@mars %i
   *@mars %1
To add the entries to the map, first enter

idadmin -S cr1 -a -l %i -r guest@mars

Then enter

idadmin -S cr1 -a -l %1 -r "*@mars"

These entries could have been added in reverse order. The idadmin command ensures that the most specific entry appears first in the file. If you enter %i in place of logname on the idadmin command line, the remote user specified by the -r would be rejected.

Other characters can appear in a field containing an asterisk. For example, all remote system names beginning with ux will match the pattern ux*. The following command adds transparent mapping for all users on machines with names being with ux:

idadmin -S cr1 -a -l %1 -r "*@ux*"

In addition, to exclude all guest users on these remote systems, enter

idadmin -S cr1 -a -l %i -r "guest@ux*"

The contents of an idata file with these four entries would be

   guest@mars %i
   *@mars %1
   guest@ux* %i
   *@ux* %1
When an idata file is searched for a global name, it is scanned sequentially. Therefore the ordering of global names in this file is critical.

Global names are sorted on the highest numbered field first. Entries with explicit values in this field appear first in the file. Entries with regular expressions in this field appear next and are sorted from most specific to least specific. For example, the remote system name ux* is more specific than the remote system name u* and therefore would appear first in the file.

If two or more entries are equally specific, the specificity of the next lower numbered field is examined. Fields are examined from highest to lowest until the global names can be differentiated.

NOTE: Remote IDs should not be mapped to uucp. Instead, they should be mapped to nuucp or some other login used exclusively for data transfer.

© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 22 April 2004