[Freeipa-users] AD Trust & LDAP Compat mode w/ RHEL5/AIX
Alexander Bokovoy
abokovoy at redhat.com
Tue May 12 18:14:54 UTC 2015
On Tue, 12 May 2015, Gould, Joshua wrote:
>We’re using IPA Server 4.1.0-18. We have a trust between IPA and AD
>with SID mapping. In our setup, AD would be example.com and IPA would
>be say ipa.example.com.
>
>I’m having some issues configuring both RHEL5 and AIX to work with the
>compat tree. In both cases, kerberos works with IPA and AD users but
>LDAP only works with IPA users and not AD users.
>
>Should AD users be returned if I search uid=AD_user under
>cn=users,cn=compat,dc=ipa,dc=example,dc=com? Is this where my RHEL5 and
>AIX clients should be searching? I’m not getting any matches and I’ve
>verified that the compat plugin is enabled on our servers. I need a
>little more to go on as far as if I’m looking in the wrong sub-tree or
>going about this the wrong way.
Can you configure SSSD on RHEL5 clients? A simple LDAP provider with a
base cn=compat,dc=ipa,dc=example,dc=com.
Simple ldapsearch needs to include proper filter, like what SSSD or
nss_ldap are using. slapi-nis is programmed to specifically respond to
their queries, not to any request over compat tree.
If you want to check from the command line, use a filter like
(&(uid=AD_user)(objectclass=posixaccount))
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list