[Freeipa-users] it's a weird one - how AD users get into IPA ?
lejeczek
peljasz at yahoo.co.uk
Fri Jun 10 09:53:45 UTC 2016
On Fri, 2016-06-10 at 12:12 +0300, Alexander Bokovoy wrote:
> On Fri, 10 Jun 2016, Jakub Hrozek wrote:
> > On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote:
> > > hi everyone
> > >
> > > there is a master IPA which in some weird way puts AD users into
> > > its ldap
> > > catalog. I say weird cause there is no trust nor other sync
> > > established,
> > > there was a trust agreement, one way type, but now 'trust-find'
> > > shows
> > > nothing, that trust was removed.
> > >
> > > but still when I create a user @AD DS a second later I see it in
> > > IPA's ldap,
> > > eg.
> > >
> > > dn: uid=ccnrtest at ccnr.aaa.private.dom,cn=users,cn=compat,dc=priva
> > > te,dc=c
> > > cnr,dc=aaa,dc=private,dc=dom
> > >
> > > how to trace the culprit config responsible for this?
> >
> > Check the DN, this is not the IPA tree (cn=account), but the compat
> > tree
> > (cn=compat) populated by the slapi-nis plugin. The intent is to
> > make the
> > AD users available to non-SSSD clients that can only use LDAP as an
> > interface.
>
> Yes. If you enabled slapi-nis on IPA master but didn't establish
> actual
> trust to AD and instead added an SSSD configuration to lookup AD
> users
> directly, then slapi-nis will happily ask SSSD for whatever users
> with @
> in the name were requested by the LDAP clients and SSSD would look
> them
> up in AD.
>
> Not sure how useful is that at all but yes, this is a side-effect of
> slapi-nis features.
>
this is very freaking useful :) I was wondering how to get my radius
there... and, ups, just like that, it was there, so thanks!
> --
> / Alexander Bokovoy
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160610/b011eecc/attachment.htm>
More information about the Freeipa-users
mailing list