[Freeipa-users] AD Trust & LDAP Compat mode w/ RHEL5/AIX
Dmitri Pal
dpal at redhat.com
Tue May 12 21:24:27 UTC 2015
On 05/12/2015 04:48 PM, Gould, Joshua wrote:
> Hopefully I¹m missing something simple.
>
> For an IPA user:
> $ ldapsearch -x ³(&(uid=ipa_user)(objectclass=posixAccount))² -b
> dc=ipa,dc=example,dc=com
>
> This returns a match.
>
> For an AD user:
> $ ldapsearch -x ³(&(uid=ad_user)(objectclass=posixAccount))² -b
> cn=compat,dc=ipa,dc=example,dc=com
>
> Does not return any matches.
>
> I verified that all my IPA servers have the compatibility plugin enabled.
>
> # ipa-compat-manage status
> Directory Manager password:
>
> Plugin Enabled
> #
Can you log into a server as an IPA user and then su to an AD user with
authentication?
If that works it means that trust is actually working. I would start
with confirming that part.
If we know that the trust is actually working we can move to debugging
the compat-plugin. If it is not working we would know why nothing is
showing up in the tree.
Looking at SSSD trace on IPA server that corresponds to the time when
you run the LDAP search might shed some light on what is going on.
>
> On 5/12/15, 2:14 PM, "Alexander Bokovoy" <abokovoy at redhat.com> wrote:
>
>> Can you configure SSSD on RHEL5 clients? A simple LDAP provider with a
>> base cn=compat,dc=ipa,dc=example,dc=com.
>>
>> Simple ldapsearch needs to include proper filter, like what SSSD or
>> nss_ldap are using. slapi-nis is programmed to specifically respond to
>> their queries, not to any request over compat tree.
>>
>> If you want to check from the command line, use a filter like
>>
>> (&(uid=AD_user)(objectclass=posixaccount))
>>
>>
>> --
>> / Alexander Bokovoy
> [(&(uid=goul09)(objectclass=posixAccount))][cn=accounts,dc=unix,dc=osumc,dc
> =edu]
>
>
--
Thank you,
Dmitri Pal
Director of Engineering for IdM portfolio
Red Hat, Inc.
More information about the Freeipa-users
mailing list