[Freeipa-users] ldapsearch for AD users
Hanoz Elavia
h.elavia at atomiccartoons.com
Wed Feb 22 22:07:02 UTC 2017
Hey Jason,
I realized I had made one more change. I setup the FreeIPA server again and
this time I added the --enable-compat with my /usr/sbin/ipa-adtrust-install
command.
Yes, I cannot use GSSAPI as well. I use simple bind to run a LDAP query. On
IPA clients I don't need to authenticate as IPA takes care of that. Hope
this helps.
Regards,
Hanoz
*Hanoz Elavia |* IT Manager
*O:* 604-734-2866 *|* *www.atomiccartoons.com
<http://www.atomiccartoons.com>*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6
On Wed, Feb 22, 2017 at 1:50 PM, Jason B. Nance <jason at tresgeek.net> wrote:
> > For example, for user that would be (&(objectClass=posixAccount)(
> uid=%s))
> > where %s is ad_user at server.com according to your example.
> >
> > This is what would be intercepted and queried through SSSD.
> >
> > For example:
> >
> > $ ldapsearch -Y GSSAPI -b cn=compat,dc=xs,dc=ipa,dc=cool
> > '(&(objectClass=posixAccount)(uid=user at ad.ipa.cool))'
> > SASL/GSSAPI authentication started
> > SASL username: admin at XS.IPA.COOL
> > SASL SSF: 56
> > SASL data security layer installed.
> > # extended LDIF
> > #
> > # LDAPv3
> > # base <cn=compat,dc=xs,dc=ipa,dc=cool> with scope subtree
> > # filter: (&(objectClass=posixAccount)(uid=user at ad.ipa.cool))
> > # requesting: ALL
> > #
> >
> > # user at ad.ipa.cool, users, compat, xs.ipa.cool
> > dn: uid=user at ad.ipa.cool,cn=users,cn=compat,dc=xs,dc=ipa,dc=cool
> > objectClass: ipaOverrideTarget
> > objectClass: posixAccount
> > objectClass: top
> > cn: YO!
> > gidNumber: 967001113
> > gecos: YO!
> > ipaAnchorUUID:: <some base64 value>
> > uidNumber: 967001113
> > loginShell: /bin/bash
> > homeDirectory: /home/ad.ipa.cool/user
> > uid: user at ad.ipa.cool
> >
> > # search result
> > search: 4
> > result: 0 Success
> >
> > # numResponses: 2
> > # numEntries: 1
>
> I'm not able to recreate this (on FreeIPA 4.4.0). "ipa-compat-manage
> status" says "Plugin Enabled", but searches for AD users yield no results:
>
> $ ldapsearch -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone
> '(&(objectClass=posixAccount)(uid=jnance at lab.gen.zone))' -W -x -D
> 'cn=Directory Manager'
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone> with scope subtree
> # filter: (&(objectClass=posixAccount)(uid=jnance at lab.gen.zone))
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 1
>
>
> I'm currently logged into the machine with an AD account from a trust:
>
> [jnance at lab.gen.zone@sl2aospljmp0001 ~]$ whoami
> jnance at lab.gen.zone
> [jnance at lab.gen.zone@sl2aospljmp0001 ~]$ id
> uid=21104(jnance at lab.gen.zone) gid=21104(jnance at lab.gen.zone)
> groups=21104(jnance at lab.gen.zone),10009(lgz-lxusers),10011(lxeng),20512(domain
> admins at lab.gen.zone),20513(domain users at lab.gen.zone),21112(
> lxusers at lab.gen.zone),21117(lab_admins at lab.gen.zone) context=unconfined_u:
> unconfined_r:unconfined_t:s0-s0:c0.c1023
>
>
> If I search for a user that is local to IPA it works:
>
> $ ldapsearch -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone
> '(&(objectClass=posixAccount)(uid=jnance-ipa))' -W -x -D 'cn=Directory
> Manager' -H 'ldaps://sl2mmgplidm0001.ipa.lab.gen.zone'
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone> with scope subtree
> # filter: (&(objectClass=posixAccount)(uid=jnance-ipa))
> # requesting: ALL
> #
>
> # jnance-ipa, users, compat, ipa.lab.gen.zone
> dn: uid=jnance-ipa,cn=users,cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone
> cn: Jason Nance
> objectClass: posixAccount
> objectClass: ipaOverrideTarget
> objectClass: top
> gidNumber: 10008
> gecos: Jason Nance
> ipaAnchorUUID:: OklQQTppcGEubGFiLmdlbi56b25lOm
> QxYzU0NGI2LWU5YjktMTFlNi1iNWM1LT
> AwNTA1NjkxMGE0NA==
> uidNumber: 10008
> loginShell: /bin/bash
> homeDirectory: /home/jnance-ipa
> uid: jnance-ipa
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
> As a side note, I'm also not able to use GSSAPI auth as you did:
>
> $ kinit
> Password for jnance at LAB.GEN.ZONE:
> $ ldapsearch -Y GSSAPI -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone
> '(&(objectClass=posixAccount)(uid=jnance at lab.gen.zone))'
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170222/713049d1/attachment.htm>
More information about the Freeipa-users
mailing list