Administering ID mapping

Overview of ID mapping

The ID mapping module consists of two routines that map remote users into local identities, plus a database from which the routines retrieve the relevant mapping information. The ID mapping database includes two types of map files. One type contains entries that map user logins; the other contains entries that map the values of user attributes, such as user IDs (UIDs) and group IDs (GIDs).

When a remote user attempts to access a service on your system, the port monitor receives the connection request. It uses an authentication scheme to validate the user; the scheme then calls the ID mapping routines. One routine checks the login maps associated with the ID mapping scheme, then maps the user to a login on the local system. The other routine checks the local system's attribute maps, then maps the values of user attributes on the remote system to the specified local values.

Both login mapping and attribute mapping are provided as part of a general mapping facility. Some applications may require that users be mapped both by login and by attribute; other applications may require that they be mapped only by attribute. Typically, however, users are mapped only by login; when users are mapped by login, the administrator controls a remote user's local environment by associating attributes with the user's login in the local system's /etc/passwd file (see passwd(4)).

ID mapping administration entails setting up and maintaining the ID mapping database; however, before you set up the database, it is assumed you have installed the authentication schemes you intend to use.

NOTE: The cr1 authentication scheme is the only authentication scheme provided with UnixWare 7 at this time--with the exception of the traditional login/password scheme, which doesn't rely on ID mapping. Unless otherwise stated, examples throughout the discussion of ID mapping assume cr1 is the authentication scheme.

We recommend you administer your system in the following sequence:

  1. Check that authentication scheme executable programs are installed in the proper directories; cr1 should be installed in /usr/lib/iaf/cr1.

  2. Set up the ID mapping database, following the instructions here.

  3. Register services with port monitors and associate them with authentication schemes through the Service Access Facility. See ``Administering port services'' for more information on registering services.

  4. Update the ID mapping database as needed.
If you enable a facility called user-controlled mapping, non-privileged users can help you maintain login maps. When user-controlled mapping is enabled, a user with logins on both the local and a remote system can access the local system and add a database entry that maps their own remote login to a local login. User-controlled mapping is described in ``Enabling and disabling user-controlled mapping''.

NOTE: The administrator of user-controlled mapping databases must be in group sys.

Administering the ID mapping database is achieved using the ID mapping commands.

© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 22 April 2004