[Freeipa-users] it's a weird one - how AD users get into IPA ?
Alexander Bokovoy
abokovoy at redhat.com
Fri Jun 10 10:24:09 UTC 2016
On Fri, 10 Jun 2016, lejeczek wrote:
>On Fri, 2016-06-10 at 12:12 +0300, Alexander Bokovoy wrote:
>> On Fri, 10 Jun 2016, Jakub Hrozek wrote:
>> > On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote:
>> > > hi everyone
>> > >
>> > > there is a master IPA which in some weird way puts AD users into
>> > > its ldap
>> > > catalog. I say weird cause there is no trust nor other sync
>> > > established,
>> > > there was a trust agreement, one way type, but now 'trust-find'
>> > > shows
>> > > nothing, that trust was removed.
>> > >
>> > > but still when I create a user @AD DS a second later I see it in
>> > > IPA's ldap,
>> > > eg.
>> > >
>> > > dn: uid=ccnrtest at ccnr.aaa.private.dom,cn=users,cn=compat,dc=priva
>> > > te,dc=c
>> > > cnr,dc=aaa,dc=private,dc=dom
>> > >
>> > > how to trace the culprit config responsible for this?
>> >
>> > Check the DN, this is not the IPA tree (cn=account), but the compat
>> > tree
>> > (cn=compat) populated by the slapi-nis plugin. The intent is to
>> > make the
>> > AD users available to non-SSSD clients that can only use LDAP as an
>> > interface.
>>
>> Yes. If you enabled slapi-nis on IPA master but didn't establish
>> actual
>> trust to AD and instead added an SSSD configuration to lookup AD
>> users
>> directly, then slapi-nis will happily ask SSSD for whatever users
>> with @
>> in the name were requested by the LDAP clients and SSSD would look
>> them
>> up in AD.
>>
>> Not sure how useful is that at all but yes, this is a side-effect of
>> slapi-nis features.
>>
>this is very freaking useful :) I was wondering how to get my radius
>there... and, ups, just like that, it was there, so thanks!
There are no passwords in that tree.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list