[Freeipa-users] ID Mapping
Jakub Hrozek
jhrozek at redhat.com
Mon Feb 27 07:26:52 UTC 2017
On Sun, Feb 26, 2017 at 12:12:23PM -0800, Hanoz Elavia wrote:
> Hey guys,
>
> Is it possible to disable ID mapping for AD users in a FreeIPA AD trust
> setup?
>
> The version report is as follows:
>
> AD: Windows 2008 R2
> FreeIPA Server: 4.4.0-14
> FreeIPA Client: 4.4.0-14
> SSSD: 1.14.0-43
> Linux version: CentOS 7.3 x64_86
>
> I've tried setting ldap_id_mapping = False in sssd.conf in the IPA domain
> sectionwith no success.
>
> Regards,
>
> Hanoz
In IPA-AD trust environment the mapping is managed on the server. So
you'd need to remove the algorithmical range and add a POSIX range
instead (see ipa help idrange-add, --type=['ipa-ad-trust-posix',
'ipa-ad-trust', 'ipa-local'])
Note that clients cannot modify the range type at the moment, so you
also need to remove the cache from all clients in the domain.
More information about the Freeipa-users
mailing list