[Freeipa-users] ldapsearch for AD users
Alexander Bokovoy
abokovoy at redhat.com
Wed Feb 22 15:22:44 UTC 2017
On ke, 22 helmi 2017, Hanoz Elavia wrote:
>Hey Alex,
>
>Thanks for the link, isn't RFC 2307 implemented as Services for Unix in
>Windows 2008 R2? Apologies for not mentioning this earlier but I haven't
>enabled that mainly because SSSD now maps the IDs. Also, in the newer
>version of the Windows Server, SFU seems to have been discontinued.
I think you are confused by the names. What Compat tree provides is an
interface on IPA side to look up identities of AD users and groups over
LDAP. Compat tree will do lookup through SSSD on your behalf. This means
we don't depend on how Windows side provides or does not provide attributes.
Everything SSSD can resolve, can be returned, be it stored in AD LDAP,
generated by SSSD, or stored in ID overrides in IPA.
But the query format is the one described in RFC 2307 because this is
what all nss implementations like nss_ldap or similar ones use in
UNIX-like environments. Windows Server is merely implementing the same
LDAP schema to allow interoperability with the same clients. Think of
Compat Tree in IPA as doing the same, just dynamically.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list