[Freeipa-users] AD Trust & LDAP Compat mode w/ RHEL5/AIX

Dmitri Pal dpal at redhat.com
Wed May 13 14:13:31 UTC 2015 

On 05/13/2015 09:24 AM, Gould, Joshua wrote:
> I have default_domain_suffix = example.com in my [sssd] section of
> sssd.conf. On RHEL6/7 systems, I’m able to login or issue any other
> command without the suffix. Is it safe to assume it works the same in
> RHEL5? I also tried with domain in all lower case and all upper case as
> well.
I think you have to use fully qualified names with legacy versions
against compat tree.
Can you try a FQ name from RHEL5?
>
> On 5/13/15, 9:16 AM, "Martin Kosek" <mkosek at redhat.com> wrote:
>
>> On 05/12/2015 10:48 PM, Gould, Joshua wrote:
>>> Hopefully I¹m missing something simple.
>>>
>>> For an IPA user:
>>> $ ldapsearch -x ³(&(uid=ipa_user)(objectclass=posixAccount))² -b
>>> dc=ipa,dc=example,dc=com
>>>
>>> This returns a match.
>>>
>>> For an AD user:
>>> $ ldapsearch -x ³(&(uid=ad_user)(objectclass=posixAccount))² -b
>>> cn=compat,dc=ipa,dc=example,dc=com
>>>
>>> Does not return any matches.
>>>
>>> I verified that all my IPA servers have the compatibility plugin
>>> enabled.
>>>
>>> # ipa-compat-manage status
>>> Directory Manager password:
>>>
>>> Plugin Enabled
>>> #
>> I may be asking the obvious, but "ad_user" is fully qualified, right? I.e.
>> aduser at my.ad.domain.test?
>>
>> Testing the log in on the server system as Dmitri advised is also a good
>> test
>> to make.
>>
>>>
>>> On 5/12/15, 2:14 PM, "Alexander Bokovoy" <abokovoy at redhat.com> wrote:
>>>
>>>> Can you configure SSSD on RHEL5 clients? A simple LDAP provider with a
>>>> base cn=compat,dc=ipa,dc=example,dc=com.
>>>>
>>>> Simple ldapsearch needs to include proper filter, like what SSSD or
>>>> nss_ldap are using. slapi-nis is programmed to specifically respond to
>>>> their queries, not to any request over compat tree.
>>>>
>>>> If you want to check from the command line, use a filter like
>>>>
>>>> (&(uid=AD_user)(objectclass=posixaccount))
>>>>
>>>>
>>>> -- 
>>>> / Alexander Bokovoy
>>>
>>> [(&(uid=goul09)(objectclass=posixAccount))][cn=accounts,dc=unix,dc=osumc,
>>> dc
>>> =edu]
>>>
>>>
>


-- 
Thank you,
Dmitri Pal

Director of Engineering for IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list