[Freeipa-users] ldapsearch for AD users
Hanoz Elavia
h.elavia at atomiccartoons.com
Thu Feb 23 16:08:07 UTC 2017
Thanks Alexander,
I have rebuilt the server with compatibility and I can now query AD users.
I'll just have to confirm with Dell / EMC whether the Isilon can now handle
this.
Regards,
Hanoz
On Wed, Feb 22, 2017 at 10:26 PM, Alexander Bokovoy <abokovoy at redhat.com>
wrote:
> On ke, 22 helmi 2017, Jason B. Nance wrote:
>
>> For example, for user that would be (&(objectClass=posixAccount)(uid=%s))
>>> where %s is ad_user at server.com according to your example.
>>>
>>> This is what would be intercepted and queried through SSSD.
>>>
>>> For example:
>>>
>>> $ ldapsearch -Y GSSAPI -b cn=compat,dc=xs,dc=ipa,dc=cool
>>> '(&(objectClass=posixAccount)(uid=user at ad.ipa.cool))'
>>> SASL/GSSAPI authentication started
>>> SASL username: admin at XS.IPA.COOL
>>> SASL SSF: 56
>>> SASL data security layer installed.
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <cn=compat,dc=xs,dc=ipa,dc=cool> with scope subtree
>>> # filter: (&(objectClass=posixAccount)(uid=user at ad.ipa.cool))
>>> # requesting: ALL
>>> #
>>>
>>> # user at ad.ipa.cool, users, compat, xs.ipa.cool
>>> dn: uid=user at ad.ipa.cool,cn=users,cn=compat,dc=xs,dc=ipa,dc=cool
>>> objectClass: ipaOverrideTarget
>>> objectClass: posixAccount
>>> objectClass: top
>>> cn: YO!
>>> gidNumber: 967001113
>>> gecos: YO!
>>> ipaAnchorUUID:: <some base64 value>
>>> uidNumber: 967001113
>>> loginShell: /bin/bash
>>> homeDirectory: /home/ad.ipa.cool/user
>>> uid: user at ad.ipa.cool
>>>
>>> # search result
>>> search: 4
>>> result: 0 Success
>>>
>>> # numResponses: 2
>>> # numEntries: 1
>>>
>>
>> I'm not able to recreate this (on FreeIPA 4.4.0). "ipa-compat-manage
>> status" says "Plugin Enabled", but searches for AD users yield no
>> results:
>>
> Sorry, I forgot mention yesterday that if you didn't use
> 'ipa-adtrust-install --enable-compat' then one thing is missing from
> compat tree configuration to allow resolution of AD users. Luckily, it
> is a simple ldapadd that can fix it. You can use ipa-ldap-updater:
>
>
> # cat 80-enable-compat-nsswitch.update dn: cn=users,cn=Schema
> Compatibility,cn=plugins,cn=config
> add:schema-compat-lookup-nsswitch: user
>
> dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
> add:schema-compat-lookup-nsswitch: group
> # ipa-ldap-updater ./80-enable-compat-nsswitch.update
> and then restart 389-ds.
>
> As a side note, I'm also not able to use GSSAPI auth as you did:
>>
>> $ kinit
>> Password for jnance at LAB.GEN.ZONE:
>> $ ldapsearch -Y GSSAPI -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone
>> '(&(objectClass=posixAccount)(uid=jnance at lab.gen.zone))'
>> SASL/GSSAPI authentication started
>> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>>
> I used IPA user, not AD user to bind with GSSAPI.
>
> In FreeIPA 4.4 it should also work with AD user as well but only if the
> user has ID override entry, even empty one:
>
> # ipa idoverrideuser-add 'Default Trust View' administrator at ad.ipa.cool
>
> and now administrator at ad.ipa.cool will be able to issue ldap searches
> against IPA LDAP server from Linux machines. Note that ldp.exe will
> still be unable to perform searches against IPA LDAP until
> https://github.com/cyrusimap/cyrus-sasl/pull/424 is released in a
> distribution.
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170223/cbace384/attachment.htm>
More information about the Freeipa-users
mailing list