[Freeipa-users] ldapsearch for AD users

Hanoz Elavia h.elavia at atomiccartoons.com
Wed Feb 22 15:11:37 UTC 2017


Hey Alex,

Thanks for the link, isn't RFC 2307 implemented as Services for Unix in
Windows 2008 R2? Apologies for not mentioning this earlier but I haven't
enabled that mainly because SSSD now maps the IDs. Also, in the newer
version of the Windows Server, SFU seems to have been discontinued.

Since there is a possibility of us having to upgrade in the future, I tried
to keep SFU out of the picture. Please let me know your thoughts. Here's
some additional info regarding the environment:

Windows ADs: Windows Server 2008 R2
FreeIPA Server: CentOS 7.2 x86_64
FreeIPA Server Version: 4.4.0.14
FreeIPA Client Version: 4.4.0.14
SSSD Version: 1.14.0-43

Thanks,

Hanoz


*Hanoz Elavia |*  IT Manager
*O:* 604-734-2866 *|*  *www.atomiccartoons.com
<http://www.atomiccartoons.com>*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6

On Wed, Feb 22, 2017 at 7:05 AM, Hanoz Elavia <h.elavia at atomiccartoons.com>
wrote:

> Thanks guys,
>
> I think there might be a way to modify the LDAP query. I'm speaking to the
> EMC /  Dell support personnel today to see what can be done.
>
> Regards,
>
> Hanoz
>
>
> *Hanoz Elavia |*  IT Manager
> *O:* 604-734-2866 *|*  *www.atomiccartoons.com
> <http://www.atomiccartoons.com>*
> 112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6
>
> On Wed, Feb 22, 2017 at 6:50 AM, Alexander Bokovoy <abokovoy at redhat.com>
> wrote:
>
>> On ke, 22 helmi 2017, Jason B. Nance wrote:
>>
>>> There is none. Compat tree is built with RFC2307 queries in mind.
>>>> RFC2307 clients issue a request with a specific user or group name and
>>>> that triggers lookup of AD user/group through SSSD and insertion into
>>>> the compat tree. A part of the trigger is how LDAP filter is built (see
>>>> RFC for those). If your software does not use the same filter, you
>>>> wouldn't get a response.
>>>>
>>>
>>> Are you saying that there is an LDAP query you can use to retrieve the
>>> UID/GID of a user/group that is known via an AD trust as long as the
>>> filter is correct?  I ran into this same situation (with a storage
>>> appliance) and thought that the problem was that the UIDs/GIDs were
>>> calculated but never stored, but I hadn't stopped to think about how
>>> whether sssd (on the local machine) retrieves them from FreeIPA or does
>>> the calculation.
>>>
>> Read https://pagure.io/slapi-nis/blob/master/f/doc/ipa/sch-ipa.txt
>>
>>
>>
>> --
>> / Alexander Bokovoy
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170222/b2a120c9/attachment.htm>


More information about the Freeipa-users mailing list