Home > Storage > PowerScale (Isilon) > Product Documentation > Management and Migration > PowerScale OneFS User Mapping: Mapping Identities Across Authentication Providers > Rule examples
The following examples combine the username formats with operators to form rules. Several of the rules include an option to specify how OneFS processes the rule. Here is an example that replaces the identity of the jane account from Active Directory with the identity of the jane account from LDAP. The break option forces OneFS to stop applying rules and to generate the token at the point of the break:
CORP\jane => jane [break]
The following rule uses wildcards to join users from the DESKTOP domain with UNIX users who have the same name in LDAP, NIS, or the local provider:
DESKTOP\* &= * [break]
Here is a rule that tightly restricts access by removing the identities of everybody other than those permitted by preceding rules:
*\* => ""
The following rule maps the administrator account from any Active Directory domain to the nobody account on OneFS. The rule exemplifies how to turn a powerful account into an innocuous account.
*\Administrator => nobody
You specify an option in square brackets, as some of the following examples demonstrate. The square brackets can include a comma-separated list of options. If you include the square brackets without listing an option, the mapping service processes the rule but applies no options.
The following command sets an insert rule that includes the group option. If you have already set a rule, however, this command replaces it:
isi zone zones modify System --user-mapping-rules="YORK\\user_9449 ++ lduser_010 [group]"
The following command adds an insert rule that includes the user option. Using this form of the command preserves an existing rule instead of replacing it:
isi zone zones modify System –-add-user-mapping rules="YORK\\user_9449
++ lduser_010 [user]"
The following command adds an insert rule that includes the groups option:
isi zone zones modify System –-add-user-mapping-rules="YORK\\user_9449
++ lduser_010 [groups]"
The following command adds an insert rule that includes all the options that work with the insert operator:
isi zone zones modify System –-add-user-mapping-rules="YORK\\user_9449
++ lduser_010 [user,group,groups,default_user=nobody,break]"
You specify the default user as in the following example:
isi zone zones modify System --add-user-mapping-rules="*\jane += janey [default_user=nobody]"
The syntax for specifying the default UNIX user differs from that of the default user. You must set the default UNIX user in angle brackets, as the failure of the following command shows:
isi zone zones modify System --add-user-mapping-rules="default_unix_user=lduser_011"
Rules parsing failed at '=': syntax error, unexpected '=', expecting BINARY_OP or UNARY_OP
After placing the default UNIX user in brackets, the second attempt at running the command succeeds:
isi zone zones modify System --add-user-mapping-rules="<default_unix_user=lduser_011>"
You can now view the rules for the zone to see the default user for the rule that maps jane to janey and to see the default UNIX user that applies to all the rules up to that point in the series of rules:
isi zone zones view System
Name: System
Cache Size: 4.77M
Map Untrusted:
SMB Shares: -
Auth Providers: -
Local Provider: Yes
NetBIOS Name: All
SMB Shares: Yes
All Auth Providers: Yes
User Mapping Rules: *\Administrator => nobody [], *\johnd => *\jdoe [], IT\* &= EX_CLUSTER\* [], YORK\user_9440 => lduser_010 [default_user=nobody], *\jane += janey [default_user=nobody], <default_unix_user=lduser_011>
Home Directory Umask: 0077
Skeleton Directory: /usr/share/skel
Zone ID: 1