[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-users] ldapsearch for AD users



Hey Alexander,

So based on the RFC 2307 documentation, I built a test server and ran the following command:

 ldapsearch -x -W -H 'ldap://ipa.server.com' -b 'cn=compat,dc=ipa,dc=server,dc=com' -D 'uid=admin,cn=users,cn=accounts,dc=ipa,dc=server,dc=com' -s sub 'uid=ad_user server com'

It worked as expected. Then once I rebooted the test server it stopped working. Any idea which service might be failing ?

Regards,

Hanoz



On Wed, Feb 22, 2017 at 8:40 AM, Hanoz Elavia <h elavia atomiccartoons com> wrote:
Hey Alex,

Thanks, I ran ipa-compat-manage status and it shows Plugin enabled. I'll have a look at the link and see if we can change the query to obtain the info required.

Regards,

Hanoz


Hanoz Elavia
|
  IT Manager 
O: 604-734-2866 |  www.atomiccartoons.com
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6

On Wed, Feb 22, 2017 at 8:34 AM, Alexander Bokovoy <abokovoy redhat com> wrote:
On ke, 22 helmi 2017, Hanoz Elavia wrote:
Thanks Alex,

Does it also means that I'll have to install the FreeIPA server with
--enable-compat ? I didn't do that.

check ipa-compat-manage tool.


Regards,

Hanoz


*Hanoz Elavia |*  IT Manager
*O:* 604-734-2866 *|*  *www.atomiccartoons.com
<http://www.atomiccartoons.com>*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6

On Wed, Feb 22, 2017 at 7:22 AM, Alexander Bokovoy <abokovoy redhat com>
wrote:

On ke, 22 helmi 2017, Hanoz Elavia wrote:

Hey Alex,

Thanks for the link, isn't RFC 2307 implemented as Services for Unix in
Windows 2008 R2? Apologies for not mentioning this earlier but I haven't
enabled that mainly because SSSD now maps the IDs. Also, in the newer
version of the Windows Server, SFU seems to have been discontinued.

I think you are confused by the names. What Compat tree provides is an
interface on IPA side to look up identities of AD users and groups over
LDAP. Compat tree will do lookup through SSSD on your behalf. This means
we don't depend on how Windows side provides or does not provide
attributes.
Everything SSSD can resolve, can be returned, be it stored in AD LDAP,
generated by SSSD, or stored in ID overrides in IPA.

But the query format is the one described in RFC 2307 because this is
what all nss implementations like nss_ldap or similar ones use in
UNIX-like environments. Windows Server is merely implementing the same
LDAP schema to allow interoperability with the same clients. Think of
Compat Tree in IPA as doing the same, just dynamically.


--
/ Alexander Bokovoy


--
/ Alexander Bokovoy



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]