[Freeipa-users] AD trust with POSIX attributes
Jan Karásek
jan.karasek at elostech.cz
Tue Jun 21 11:55:54 UTC 2016
Hi all,
I have a questions about IPA with AD forest trust. What I am trying to do is setup environment, where all informations about users are stored in one place - AD. I would like to read at least uid, home, shell and sshkey from AD.
I have set up trust with this parameters:
ipa trust-add EXAMPLE.TT --type=ad --range-type=ipa-ad-trust-posix --admin=administrator
[root at ipa1 ~]# ipa idrange-show EXAMPLE.TT_id_range
Range name: EXAMPLE.TT_id_range
First Posix ID of the range: 1392000000
Number of IDs in the range: 200000
Domain SID of the trusted domain: S-1-5-21-4123312533-990676102-3576722756
Range type: Active Directory trust range with POSIX attributes
I have set attributes in AD for user at EXAMPLE.TT
- uidNumber -10000
- homeDirectory -/home/user
- loginShell - /bin/bash
Trust itself works fine. I can do kinit with user at EXAMPLE.TT , I can run id and getent passwd user at example.tt and I can use user at example.tt for ssh.
Problem is, that I am not getting uid from AD but from idrange:
uid=1392001107(user at example.tt)
Also I have tried to switch off id mapping in sssd.conf with ldap_id_mapping = true in sssd.conf but no luck.
I know, that it is probably better to use ID views for this, but in our case we need to set centrally managed environment, where all users information are externally inserted to AD from HR system - included POSIX attributes and we need IPA to read them from AD.
So my questions are:
Is it possible to read user's POSIX attributes directly from AD - namely uid ?
Which atributes can be stored in AD ?
Am I doing something wrong ?
my sssd.conf:
[domain/a.example.tt]
debug_level = 5
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = a.example.tt
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa1.a.example.tt
chpass_provider = ipa
ipa_server = ipa1.a.example.tt
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
#ldap_id_mapping = true
#subdomain_inherit = ldap_user_principal
#ldap_user_principal = nosuchattribute
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = a.example.tt
[nss]
debug_level = 5
homedir_substring = /home
enum_cache_timeout = 2
entry_negative_timeout = 2
[pam]
debug_level = 5
[sudo]
[autofs]
[ssh]
debug_level = 4
[pac]
debug_level = 4
[ifp]
Thanks,
Jan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160621/0b73377f/attachment.htm>
More information about the Freeipa-users
mailing list