Recent versions of pam-nss-ldapd have implemented very flexible mapping operations. The two most common attribute mappings to override the values stored in the directory provide alternate GIDnumber and homeDirectory values. Example mappings are below.
GIDnumber Mapping
For all Stanford Accounts the gidNumber is set to 37. When using AFS this does not cause problems because AFS implements a rich set of ACLs to control access to directories and ignores the gidNumber meaning. This can cause problems for systems were gidNumber is meaningful. A simple way around the problem is to create a mapping that uses the uidNumber value for both the uidNumber and the gidNumber.
map passwd gidNumber uidNumber
The on caveot with this approach is that it is possible that there will be a collision between a user mapped gidNumber and a globally assigned gidNumber that is tied to a Workgroup. The work around for this rare situation will be to use an appropriate LDAP filter to hide the offending Workgroup gidNumber from the client system.
Local Home Directories
To use local host directories two things must be done. The first is that the ACL on the directory server that grants access to posixAccounts entries should not include the homeDirectory. This because the pam-nss-ldapd package will not map any attributes that are being returned with a user's posixAccount entry. The second is that a map needs to be added to the nslcd.conf file. The following should be sufficient.
map passwd homeDirectory "${homeDirectory:-/home/$uid}"
Note, this a creative use of ACLs it should be possible to support some AFS and some local home directories. The same tricks can be played with other attributes, for example the login shell.
When not using AFS then the pam configuration is a bit different than shown above in that it does not include the AFS bits. Here is an example of a working configuration.
#/etc/pam.d/common-account
#
account sufficient pam_unix.so
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] pam_ldap.so
account required pam_krb5.so
#/etc/pam.d/common-auth
auth sufficient pam_unix.so try_first_pass nullok_secure
auth [success=ok default=die] pam_krb5.so use_first_pass forwardable
#/etc/pam.d/common-session
session optional pam_krb5.so
session required pam_unix.so
