<html><body><div style="font-family: lucida console,sans-serif; font-size: 10pt; color: #000000"><div><style></style></div><div style="font-family: lucida console,sans-serif; font-size: 10pt; color: #000000">Hi Dan<br data-mce-bogus="1"></div><div style="font-family: lucida console,sans-serif; font-size: 10pt; color: #000000"><div></div><div data-marker="__QUOTED_TEXT__"><blockquote style="border-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><div data-marker="__QUOTED_TEXT__"><div class="WordSection1"><p class="MsoNormal">With a one-way trust from FreeIPA 4.4 to Active Directory on WinServ2012r2, I am trying to use FreeIPA LDAP for user authentication.</p><p class="MsoNormal">Is that supposed to work?</p></div></div></blockquote>In the way you have described it, no. AD users/groups will not be in the FreeIPA LDAP. So attempting to authenticate a Windows user by pointing an LDAP client at a FreeIPA server will fail.<br><div><br></div><div>Installing the FreeIPA client on a Linux host and enrolling it in an IPA domain with a trust to an Active Directory domain will allow you to authenticate Windows users on the Linux host. This is done using SSSD, among other things.<br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div><div>Regards,<br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div><div>j<br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div></div></div></div></body></html>