[Freeipa-users] ldapsearch for AD users

Alexander Bokovoy abokovoy at redhat.com
Thu Feb 23 06:26:28 UTC 2017 

On ke, 22 helmi 2017, Jason B. Nance wrote:
>> For example, for user that would be (&(objectClass=posixAccount)(uid=%s))
>> where %s is ad_user at server.com according to your example.
>>
>> This is what would be intercepted and queried through SSSD.
>>
>> For example:
>>
>> $ ldapsearch -Y GSSAPI -b cn=compat,dc=xs,dc=ipa,dc=cool
>> '(&(objectClass=posixAccount)(uid=user at ad.ipa.cool))'
>> SASL/GSSAPI authentication started
>> SASL username: admin at XS.IPA.COOL
>> SASL SSF: 56
>> SASL data security layer installed.
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <cn=compat,dc=xs,dc=ipa,dc=cool> with scope subtree
>> # filter: (&(objectClass=posixAccount)(uid=user at ad.ipa.cool))
>> # requesting: ALL
>> #
>>
>> # user at ad.ipa.cool, users, compat, xs.ipa.cool
>> dn: uid=user at ad.ipa.cool,cn=users,cn=compat,dc=xs,dc=ipa,dc=cool
>> objectClass: ipaOverrideTarget
>> objectClass: posixAccount
>> objectClass: top
>> cn: YO!
>> gidNumber: 967001113
>> gecos: YO!
>> ipaAnchorUUID:: <some base64 value>
>> uidNumber: 967001113
>> loginShell: /bin/bash
>> homeDirectory: /home/ad.ipa.cool/user
>> uid: user at ad.ipa.cool
>>
>> # search result
>> search: 4
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>
>I'm not able to recreate this (on FreeIPA 4.4.0).  "ipa-compat-manage
>status" says "Plugin Enabled", but searches for AD users yield no
>results:
Sorry, I forgot mention yesterday that if you didn't use
'ipa-adtrust-install --enable-compat' then one thing is missing from
compat tree configuration to allow resolution of AD users. Luckily, it
is a simple ldapadd that can fix it. You can use ipa-ldap-updater:


# cat 80-enable-compat-nsswitch.update 
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
add:schema-compat-lookup-nsswitch: user

dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
add:schema-compat-lookup-nsswitch: group
# ipa-ldap-updater ./80-enable-compat-nsswitch.update 

and then restart 389-ds.

>As a side note, I'm also not able to use GSSAPI auth as you did:
>
>$ kinit
>Password for jnance at LAB.GEN.ZONE:
>$ ldapsearch -Y GSSAPI -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone '(&(objectClass=posixAccount)(uid=jnance at lab.gen.zone))'
>SASL/GSSAPI authentication started
>ldap_sasl_interactive_bind_s: Invalid credentials (49)
I used IPA user, not AD user to bind with GSSAPI.

In FreeIPA 4.4 it should also work with AD user as well but only if the
user has ID override entry, even empty one:

# ipa idoverrideuser-add 'Default Trust View' administrator at ad.ipa.cool

and now administrator at ad.ipa.cool will be able to issue ldap searches
against IPA LDAP server from Linux machines. Note that ldp.exe will
still be unable to perform searches against IPA LDAP until
https://github.com/cyrusimap/cyrus-sasl/pull/424 is released in a
distribution.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list