[Freeipa-users] ldapsearch for AD users
Alexander Bokovoy
abokovoy at redhat.com
Wed Feb 22 16:34:23 UTC 2017
On ke, 22 helmi 2017, Hanoz Elavia wrote:
>Thanks Alex,
>
>Does it also means that I'll have to install the FreeIPA server with
>--enable-compat ? I didn't do that.
check ipa-compat-manage tool.
>
>Regards,
>
>Hanoz
>
>
>*Hanoz Elavia |* IT Manager
>*O:* 604-734-2866 *|* *www.atomiccartoons.com
><http://www.atomiccartoons.com>*
>112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6
>
>On Wed, Feb 22, 2017 at 7:22 AM, Alexander Bokovoy <abokovoy at redhat.com>
>wrote:
>
>> On ke, 22 helmi 2017, Hanoz Elavia wrote:
>>
>>> Hey Alex,
>>>
>>> Thanks for the link, isn't RFC 2307 implemented as Services for Unix in
>>> Windows 2008 R2? Apologies for not mentioning this earlier but I haven't
>>> enabled that mainly because SSSD now maps the IDs. Also, in the newer
>>> version of the Windows Server, SFU seems to have been discontinued.
>>>
>> I think you are confused by the names. What Compat tree provides is an
>> interface on IPA side to look up identities of AD users and groups over
>> LDAP. Compat tree will do lookup through SSSD on your behalf. This means
>> we don't depend on how Windows side provides or does not provide
>> attributes.
>> Everything SSSD can resolve, can be returned, be it stored in AD LDAP,
>> generated by SSSD, or stored in ID overrides in IPA.
>>
>> But the query format is the one described in RFC 2307 because this is
>> what all nss implementations like nss_ldap or similar ones use in
>> UNIX-like environments. Windows Server is merely implementing the same
>> LDAP schema to allow interoperability with the same clients. Think of
>> Compat Tree in IPA as doing the same, just dynamically.
>>
>>
>> --
>> / Alexander Bokovoy
>>
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list