[Freeipa-users] IPA-AD ldap acces - account ?
Jakub Hrozek
jhrozek at redhat.com
Wed Aug 17 14:03:50 UTC 2016
On Wed, Aug 17, 2016 at 03:49:32PM +0200, Jan Karásek wrote:
> Hi,
>
> please could somebody explain how and and with which account IPA is accessing DC in IPA - AD trust scenario. Is is possible to simulate with ldapsearch some query to AD with the same permission as IPA server?
>
> We have some issues with reading ldap object from AD and I would like to simulate that from command line.
> Thanks,
> Jan
Identity lookups are performed by sssd running on the server. The
authentication depends on the trust type. With two-way trusts, you can just
use the system keytab. With one-way trusts, the keytab you'll want to use
to authenticate is stored at /var/lib/sss/keytabs/ and is named after the
forest. There should be a single principal there. You can authenticate with
that principal and run the same search manually. You should add -Y GSSAPI to
the ldapsearch line to make sure ldapsearch binds with GSSAPI. For example,
in my setup I use:
# ls /var/lib/sss/keytabs/
win.trust.test.keytab
# ls /var/lib/sss/keytabs/win.trust.test.keytab
/var/lib/sss/keytabs/win.trust.test.keytab
# klist -k /var/lib/sss/keytabs/win.trust.test.keytab
Keytab name: FILE:/var/lib/sss/keytabs/win.trust.test.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 IPA$@WIN.TRUST.TEST
1 IPA$@WIN.TRUST.TEST
1 IPA$@WIN.TRUST.TEST
# kinit -kt /var/lib/sss/keytabs/win.trust.test.keytab 'IPA$@WIN.TRUST.TEST'
# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: IPA$@WIN.TRUST.TEST
Valid starting Expires Service principal
08/12/2016 09:25:07 08/12/2016 19:25:07 krbtgt/WIN.TRUST.TEST at WIN.TRUST.TEST
renew until 08/13/2016 09:25:07
# ldapsearch -Y GSSAPI -H ldap://dc.win.trust.test -b CN=Administrator,CN=Users,DC=win,DC=trust,DC=test -s base tokengroups
SASL/GSSAPI authentication started
SASL username: IPA$@WIN.TRUST.TEST
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <CN=Administrator,CN=Users,DC=win,DC=trust,DC=test> with scope baseObject
# filter: (objectclass=*)
# requesting: tokengroups
#
# Administrator, Users, win.trust.test
dn: CN=Administrator,CN=Users,DC=win,DC=trust,DC=test
tokenGroups:: AQIAAAAAAAUgAAAAIQIAAA==
tokenGroups:: AQIAAAAAAAUgAAAAIAIAAA==
tokenGroups:: AQUAAAAAAAUVAAAA7MyrD9WWJf4D7yaHTgQAAA==
tokenGroups:: AQUAAAAAAAUVAAAA7MyrD9WWJf4D7yaHPAIAAA==
tokenGroups:: AQUAAAAAAAUVAAAA7MyrD9WWJf4D7yaHBgIAAA==
tokenGroups:: AQUAAAAAAAUVAAAA7MyrD9WWJf4D7yaHBwIAAA==
tokenGroups:: AQUAAAAAAAUVAAAA7MyrD9WWJf4D7yaHCAIAAA==
tokenGroups:: AQUAAAAAAAUVAAAA7MyrD9WWJf4D7yaHMAwAAA==
tokenGroups:: AQUAAAAAAAUVAAAA7MyrD9WWJf4D7yaHAQIAAA==
tokenGroups:: AQUAAAAAAAUVAAAA7MyrD9WWJf4D7yaHAAIAAA==
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
More information about the Freeipa-users
mailing list