[Freeipa-users] ldapsearch for AD users
Jason B. Nance
jason at tresgeek.net
Wed Feb 22 21:50:06 UTC 2017
> For example, for user that would be (&(objectClass=posixAccount)(uid=%s))
> where %s is ad_user at server.com according to your example.
>
> This is what would be intercepted and queried through SSSD.
>
> For example:
>
> $ ldapsearch -Y GSSAPI -b cn=compat,dc=xs,dc=ipa,dc=cool
> '(&(objectClass=posixAccount)(uid=user at ad.ipa.cool))'
> SASL/GSSAPI authentication started
> SASL username: admin at XS.IPA.COOL
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <cn=compat,dc=xs,dc=ipa,dc=cool> with scope subtree
> # filter: (&(objectClass=posixAccount)(uid=user at ad.ipa.cool))
> # requesting: ALL
> #
>
> # user at ad.ipa.cool, users, compat, xs.ipa.cool
> dn: uid=user at ad.ipa.cool,cn=users,cn=compat,dc=xs,dc=ipa,dc=cool
> objectClass: ipaOverrideTarget
> objectClass: posixAccount
> objectClass: top
> cn: YO!
> gidNumber: 967001113
> gecos: YO!
> ipaAnchorUUID:: <some base64 value>
> uidNumber: 967001113
> loginShell: /bin/bash
> homeDirectory: /home/ad.ipa.cool/user
> uid: user at ad.ipa.cool
>
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
I'm not able to recreate this (on FreeIPA 4.4.0). "ipa-compat-manage status" says "Plugin Enabled", but searches for AD users yield no results:
$ ldapsearch -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone '(&(objectClass=posixAccount)(uid=jnance at lab.gen.zone))' -W -x -D 'cn=Directory Manager'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone> with scope subtree
# filter: (&(objectClass=posixAccount)(uid=jnance at lab.gen.zone))
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
I'm currently logged into the machine with an AD account from a trust:
[jnance at lab.gen.zone@sl2aospljmp0001 ~]$ whoami
jnance at lab.gen.zone
[jnance at lab.gen.zone@sl2aospljmp0001 ~]$ id
uid=21104(jnance at lab.gen.zone) gid=21104(jnance at lab.gen.zone) groups=21104(jnance at lab.gen.zone),10009(lgz-lxusers),10011(lxeng),20512(domain admins at lab.gen.zone),20513(domain users at lab.gen.zone),21112(lxusers at lab.gen.zone),21117(lab_admins at lab.gen.zone) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
If I search for a user that is local to IPA it works:
$ ldapsearch -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone '(&(objectClass=posixAccount)(uid=jnance-ipa))' -W -x -D 'cn=Directory Manager' -H 'ldaps://sl2mmgplidm0001.ipa.lab.gen.zone'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone> with scope subtree
# filter: (&(objectClass=posixAccount)(uid=jnance-ipa))
# requesting: ALL
#
# jnance-ipa, users, compat, ipa.lab.gen.zone
dn: uid=jnance-ipa,cn=users,cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone
cn: Jason Nance
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
gidNumber: 10008
gecos: Jason Nance
ipaAnchorUUID:: OklQQTppcGEubGFiLmdlbi56b25lOmQxYzU0NGI2LWU5YjktMTFlNi1iNWM1LT
AwNTA1NjkxMGE0NA==
uidNumber: 10008
loginShell: /bin/bash
homeDirectory: /home/jnance-ipa
uid: jnance-ipa
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
As a side note, I'm also not able to use GSSAPI auth as you did:
$ kinit
Password for jnance at LAB.GEN.ZONE:
$ ldapsearch -Y GSSAPI -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone '(&(objectClass=posixAccount)(uid=jnance at lab.gen.zone))'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
More information about the Freeipa-users
mailing list