[Freeipa-users] it's a weird one - how AD users get into IPA ?
Alexander Bokovoy
abokovoy at redhat.com
Fri Jun 10 10:23:46 UTC 2016
On Fri, 10 Jun 2016, lejeczek wrote:
>On Fri, 2016-06-10 at 11:01 +0200, Jakub Hrozek wrote:
>> On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote:
>> > hi everyone
>> >
>> > there is a master IPA which in some weird way puts AD users into
>> > its ldap
>> > catalog. I say weird cause there is no trust nor other sync
>> > established,
>> > there was a trust agreement, one way type, but now 'trust-find'
>> > shows
>> > nothing, that trust was removed.
>> >
>> > but still when I create a user @AD DS a second later I see it in
>> > IPA's ldap,
>> > eg.
>> >
>> > dn: uid=ccnrtest at ccnr.aaa.private.dom,cn=users,cn=compat,dc=private
>> > ,dc=c
>> > cnr,dc=aaa,dc=private,dc=dom
>> >
>> > how to trace the culprit config responsible for this?
>>
>> Check the DN, this is not the IPA tree (cn=account), but the compat
>> tree
>> (cn=compat) populated by the slapi-nis plugin. The intent is to make
>> the
>> AD users available to non-SSSD clients that can only use LDAP as an
>> interface.
>>
>any chance this plugin gets included without user/admin intention, eg.
>during migrate-ds ?
The slapi-nis plugin is enabled by default when IPA is installed because
ou=sudoers tree is emulated by the slapi-nis.
>is ipa toolkit or I have to go directly to ldap to de/activate
>plugin(s) ?
See ipa-compat-manage
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list