[Freeipa-users] Default domain for AD groups
Alexander Bokovoy
abokovoy at redhat.com
Fri Feb 24 06:04:43 UTC 2017
On to, 23 helmi 2017, Hanoz Elavia wrote:
>Hello,
>
>My FreeIPA clients and server are setup to use the AD domain as the
>default. This is done using the default_domain_suffix parameter in the sssd
>section of the sssd.conf file.
>
>This works fine for users when we use ldapsearch but not so much for
>groups. For e.g.:
>
>ldapsearch -x -W -s sub -H 'ldap://ipa.server.com' -b
>'cn=compat,dc=ipa,dc=server,dc=com' -D
>'uid=binduser,cn=users,cn=accounts,dc=ipa,dc=server,dc=com' '(cn=
>domaingroup at server.com)'
>
>works fine but
>
>ldapsearch -x -W -s sub -H 'ldap://ipa.server.com' -b
>'cn=compat,dc=ipa,dc=server,dc=com' -D
>'uid=binduser,cn=users,cn=accounts,dc=ipa,dc=server,dc=com'
>'(cn=domaingroup)'
>
>won't work. However, the above will work fine for users. I'm using the
No, compat tree is designed to be used with fully-qualified groups and
users. There is no way around it.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list