[Freeipa-users] Oracle Linux 5.5 - Legacy Question

Alexander Bokovoy abokovoy at redhat.com
Tue Nov 24 13:57:48 UTC 2015 

On Tue, 24 Nov 2015, Jeffrey Stormshak wrote:
>I went to review the ‘ip_provider’ and that looks like a ‘sssd.conf’
>setting.  The sssd RPM isn’t located on the 5.5 clients; nor is it in
>the YUM Channels for 5.5 base and 5.5 patch.  So is the recommendation
>here to find any 5.X version of sssd RPM and use that for this
>configuration?  Sorry, being a newbie on this product realistically
>isn’t helping here I’m sure …
>
>The ipa-advise, is that part of the ipa-client RPM?  That too, doesn’t
>exist on the 5.5 distribution as well.  Even the version required to
>fix the openssl only worked with the 5.7 base version.  Am I complete
>doomed for 5.5?  Cards are stacked for sure.  Nonetheless …
ipa-advise is a tool on IPA server that provides recipes how to
configure different clients for a typical scenarios involving trust to
AD.

Read the manual for the tool to get more information.

For legacy clients where there is no recent enough SSSD to support trust
to AD natively, ipa-advise recommends using schema compatibility plugin
to expose both IPA and AD users under same LDAP tree. This is what you
see in cn=users,cn=compat,dc=example,dc=com. If you see cn=compat in the
LDAP base DN, you know you are looking into the compatibility tree.

Compatibility tree is handled by a special plugin which combines data
from the primary IPA tree (cn=accounts,dc=example,dc=com) and from SSSD
on IPA server. It also exposes ou=SUDOers subtree to allow SUDO
application to work with sudo rules stored in IPA LDAP (they are not in
the same format as SUDO itself expects, thus _compatibility_ subtree).

>I feel so close though…  Auth and Sudo works on 5.5 but something as
>simple as users changing passwords seems so simple to provide?
Finally, password changes are not supported in cn=compat subtree. This
is simply not implemented by schema compatibility plugin.

You haven't answered earlier when people asked whether you are using
cn=compat tree because you need to get information about Active
Directory users or not. If you don't need integration with Active
Directory, change LDAP base DN in your configuration to
cn=accounts,dc=example,dc=com, to point your clients to the primary IPA
subtree where all users and groups are available. That subtree is the
main one and we do support password changes for DNs in it.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list