<div dir="ltr"><div><div><div>Thanks Alex,<br><br></div>Does it also means that I'll have to install the FreeIPA server with --enable-compat ? I didn't do that. <br><br></div>Regards,<br><br></div>Hanoz<br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><span><b><span style="font-size:9.5pt;font-family:"times new roman","serif""><span style="color:rgb(255,0,0)"><img src="https://docs.google.com/a/atomiccartoons.com/uc?id=0BzG4iWi2gPgKc2FvTEJfQVN5VTQ&export=download" height="27" width="200"><br><span style="font-family:arial,helvetica,sans-serif"><font size="2">Hanoz Elavia</font></span></span><span style="font-family:arial,helvetica,sans-serif"><font size="2"><span style="color:rgb(95,95,95)"> </span><span style="color:rgb(64,64,64)">|</span></font></span></span></b><span style="font-family:arial,helvetica,sans-serif"><font size="2"><span style="color:rgb(64,64,64)"> IT Manager <br></span><b><span style="color:rgb(64,64,64)">O:</span></b><span style="color:rgb(64,64,64)"> <a href="tel:604-734-2866" value="+16047342866" target="_blank">604-734-2866</a> </span><span style="color:black"><b>|</b> </span><span style="color:black"><u><span><span style="color:black"></span><a href="http://www.atomiccartoons.com" target="_blank">www.atomiccartoons.com</a></span></u><br>112 West 6<sup>th</sup> Ave, Vancouver, BC, Canada, V5Y1K6</span></font></span></span></div></div></div></div></div></div></div></div></div></div></div></div></div> <br><div class="gmail_quote">On Wed, Feb 22, 2017 at 7:22 AM, Alexander Bokovoy <span dir="ltr"><<a href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On ke, 22 helmi 2017, Hanoz Elavia wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Hey Alex,<br> <br> Thanks for the link, isn't RFC 2307 implemented as Services for Unix in<br> Windows 2008 R2? Apologies for not mentioning this earlier but I haven't<br> enabled that mainly because SSSD now maps the IDs. Also, in the newer<br> version of the Windows Server, SFU seems to have been discontinued.<br> </blockquote></span> I think you are confused by the names. What Compat tree provides is an<br> interface on IPA side to look up identities of AD users and groups over<br> LDAP. Compat tree will do lookup through SSSD on your behalf. This means<br> we don't depend on how Windows side provides or does not provide attributes.<br> Everything SSSD can resolve, can be returned, be it stored in AD LDAP,<br> generated by SSSD, or stored in ID overrides in IPA.<br> <br> But the query format is the one described in RFC 2307 because this is<br> what all nss implementations like nss_ldap or similar ones use in<br> UNIX-like environments. Windows Server is merely implementing the same<br> LDAP schema to allow interoperability with the same clients. Think of<br> Compat Tree in IPA as doing the same, just dynamically.<span class="HOEnZb"><font color="#888888"><br> <br> <br> -- <br> / Alexander Bokovoy<br> </font></span></blockquote></div><br></div>