[Freeipa-users] ldapsearch for AD users
Hanoz Elavia
h.elavia at atomiccartoons.com
Wed Feb 22 22:08:35 UTC 2017
Hey Jason,
Also, my bind DN is a native FreeIPA user and doesn't exist on the Active
Directory.
Regards,
Hanoz
*Hanoz Elavia |* IT Manager
*O:* 604-734-2866 *|* *www.atomiccartoons.com
<http://www.atomiccartoons.com>*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6
On Wed, Feb 22, 2017 at 2:07 PM, Hanoz Elavia <h.elavia at atomiccartoons.com>
wrote:
> Hey Jason,
>
> I realized I had made one more change. I setup the FreeIPA server again
> and this time I added the --enable-compat with my
> /usr/sbin/ipa-adtrust-install command.
>
> Yes, I cannot use GSSAPI as well. I use simple bind to run a LDAP query.
> On IPA clients I don't need to authenticate as IPA takes care of that. Hope
> this helps.
>
> Regards,
>
> Hanoz
>
>
> *Hanoz Elavia |* IT Manager
> *O:* 604-734-2866 *|* *www.atomiccartoons.com
> <http://www.atomiccartoons.com>*
> 112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6
>
> On Wed, Feb 22, 2017 at 1:50 PM, Jason B. Nance <jason at tresgeek.net>
> wrote:
>
>> > For example, for user that would be (&(objectClass=posixAccount)(u
>> id=%s))
>> > where %s is ad_user at server.com according to your example.
>> >
>> > This is what would be intercepted and queried through SSSD.
>> >
>> > For example:
>> >
>> > $ ldapsearch -Y GSSAPI -b cn=compat,dc=xs,dc=ipa,dc=cool
>> > '(&(objectClass=posixAccount)(uid=user at ad.ipa.cool))'
>> > SASL/GSSAPI authentication started
>> > SASL username: admin at XS.IPA.COOL
>> > SASL SSF: 56
>> > SASL data security layer installed.
>> > # extended LDIF
>> > #
>> > # LDAPv3
>> > # base <cn=compat,dc=xs,dc=ipa,dc=cool> with scope subtree
>> > # filter: (&(objectClass=posixAccount)(uid=user at ad.ipa.cool))
>> > # requesting: ALL
>> > #
>> >
>> > # user at ad.ipa.cool, users, compat, xs.ipa.cool
>> > dn: uid=user at ad.ipa.cool,cn=users,cn=compat,dc=xs,dc=ipa,dc=cool
>> > objectClass: ipaOverrideTarget
>> > objectClass: posixAccount
>> > objectClass: top
>> > cn: YO!
>> > gidNumber: 967001113
>> > gecos: YO!
>> > ipaAnchorUUID:: <some base64 value>
>> > uidNumber: 967001113
>> > loginShell: /bin/bash
>> > homeDirectory: /home/ad.ipa.cool/user
>> > uid: user at ad.ipa.cool
>> >
>> > # search result
>> > search: 4
>> > result: 0 Success
>> >
>> > # numResponses: 2
>> > # numEntries: 1
>>
>> I'm not able to recreate this (on FreeIPA 4.4.0). "ipa-compat-manage
>> status" says "Plugin Enabled", but searches for AD users yield no results:
>>
>> $ ldapsearch -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone
>> '(&(objectClass=posixAccount)(uid=jnance at lab.gen.zone))' -W -x -D
>> 'cn=Directory Manager'
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone> with scope subtree
>> # filter: (&(objectClass=posixAccount)(uid=jnance at lab.gen.zone))
>> # requesting: ALL
>> #
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 1
>>
>>
>> I'm currently logged into the machine with an AD account from a trust:
>>
>> [jnance at lab.gen.zone@sl2aospljmp0001 ~]$ whoami
>> jnance at lab.gen.zone
>> [jnance at lab.gen.zone@sl2aospljmp0001 ~]$ id
>> uid=21104(jnance at lab.gen.zone) gid=21104(jnance at lab.gen.zone)
>> groups=21104(jnance at lab.gen.zone),10009(lgz-lxusers),10011(lxeng),20512(domain
>> admins at lab.gen.zone),20513(domain users at lab.gen.zone),21112(lxus
>> ers at lab.gen.zone),21117(lab_admins at lab.gen.zone)
>> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>
>>
>> If I search for a user that is local to IPA it works:
>>
>> $ ldapsearch -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone
>> '(&(objectClass=posixAccount)(uid=jnance-ipa))' -W -x -D 'cn=Directory
>> Manager' -H 'ldaps://sl2mmgplidm0001.ipa.lab.gen.zone'
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone> with scope subtree
>> # filter: (&(objectClass=posixAccount)(uid=jnance-ipa))
>> # requesting: ALL
>> #
>>
>> # jnance-ipa, users, compat, ipa.lab.gen.zone
>> dn: uid=jnance-ipa,cn=users,cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone
>> cn: Jason Nance
>> objectClass: posixAccount
>> objectClass: ipaOverrideTarget
>> objectClass: top
>> gidNumber: 10008
>> gecos: Jason Nance
>> ipaAnchorUUID:: OklQQTppcGEubGFiLmdlbi56b25lOm
>> QxYzU0NGI2LWU5YjktMTFlNi1iNWM1LT
>> AwNTA1NjkxMGE0NA==
>> uidNumber: 10008
>> loginShell: /bin/bash
>> homeDirectory: /home/jnance-ipa
>> uid: jnance-ipa
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>>
>> As a side note, I'm also not able to use GSSAPI auth as you did:
>>
>> $ kinit
>> Password for jnance at LAB.GEN.ZONE:
>> $ ldapsearch -Y GSSAPI -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone
>> '(&(objectClass=posixAccount)(uid=jnance at lab.gen.zone))'
>> SASL/GSSAPI authentication started
>> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170222/6b1c2fd2/attachment.htm>
More information about the Freeipa-users
mailing list