[Freeipa-users] it's a weird one - how AD users get into IPA ?
Alexander Bokovoy
abokovoy at redhat.com
Fri Jun 10 09:12:46 UTC 2016
On Fri, 10 Jun 2016, Jakub Hrozek wrote:
>On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote:
>> hi everyone
>>
>> there is a master IPA which in some weird way puts AD users into its ldap
>> catalog. I say weird cause there is no trust nor other sync established,
>> there was a trust agreement, one way type, but now 'trust-find' shows
>> nothing, that trust was removed.
>>
>> but still when I create a user @AD DS a second later I see it in IPA's ldap,
>> eg.
>>
>> dn: uid=ccnrtest at ccnr.aaa.private.dom,cn=users,cn=compat,dc=private,dc=c
>> cnr,dc=aaa,dc=private,dc=dom
>>
>> how to trace the culprit config responsible for this?
>
>Check the DN, this is not the IPA tree (cn=account), but the compat tree
>(cn=compat) populated by the slapi-nis plugin. The intent is to make the
>AD users available to non-SSSD clients that can only use LDAP as an
>interface.
Yes. If you enabled slapi-nis on IPA master but didn't establish actual
trust to AD and instead added an SSSD configuration to lookup AD users
directly, then slapi-nis will happily ask SSSD for whatever users with @
in the name were requested by the LDAP clients and SSSD would look them
up in AD.
Not sure how useful is that at all but yes, this is a side-effect of
slapi-nis features.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list