[Freeipa-users] ldapsearch for AD users
Alexander Bokovoy
abokovoy at redhat.com
Wed Feb 22 07:28:52 UTC 2017
On ti, 21 helmi 2017, Hanoz Elavia wrote:
>Hello,
>
>I've got the FreeIPA server with AD trust (Server 2008 R2) setup and
>running. I can login successfully on linux clients using AD credentials.
>I'm now trying to setup my Isilon storage appliance with mixed mode file
>sharing.
>
>The filer has joined the AD so it provides Windows users access to the
>files. However, being a legacy client, it uses simple bind to query ldap
>for uid and gid. I was able to setup FreeIPA as the ldap server but it
>doesn't seem to return the uid and gid for AD objects.
>
>The query my storage is using is as follows:
>
>ldapsearch -x -W -z 10 -H ldap://ipa.server.com -b
>'cn=compat,dc=ipa,dc=server,dc=com' -D
>'uid=binduser,cn=users,cn=accounts,dc=ipa,dc=server,dc=com'
>'(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=nisNetgroup)(objectClass=person))'
>
>The following command will obtain all the IDs for the native FreeIPA users
>/ groups but don't return any results for AD users. Is there a way to get
>this done? I can't install any clients on the Isilon as it uses a BSD based
>proprietary software. I can manually map FreeIPA assigned uids / gids but
>that's tedious and error prone. Any help would be appreciated.
There is none. Compat tree is built with RFC2307 queries in mind.
RFC2307 clients issue a request with a specific user or group name and
that triggers lookup of AD user/group through SSSD and insertion into
the compat tree. A part of the trigger is how LDAP filter is built (see
RFC for those). If your software does not use the same filter, you
wouldn't get a response.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list