[Freeipa-users] ldapsearch for AD users

Alexander Bokovoy abokovoy at redhat.com
Wed Feb 22 19:38:46 UTC 2017 

On ke, 22 helmi 2017, Hanoz Elavia wrote:
>Hey Alexander,
>
>So based on the RFC 2307 documentation, I built a test server and ran the
>following command:
>
> ldapsearch -x -W -H 'ldap://ipa.server.com' -b
>'cn=compat,dc=ipa,dc=server,dc=com' -D
>'uid=admin,cn=users,cn=accounts,dc=ipa,dc=server,dc=com' -s sub 'uid=
>ad_user at server.com'
>
>It worked as expected. Then once I rebooted the test server it stopped
>working. Any idea which service might be failing ?
As I said, these are dynamic entries. You should use proper queries.
I mentioned RFC2307, use section 5.2 to get proper queries.

For example, for user that would be (&(objectClass=posixAccount)(uid=%s))
where %s is ad_user at server.com according to your example.

This is what would be intercepted and queried through SSSD.

For example:

$ ldapsearch -Y GSSAPI -b cn=compat,dc=xs,dc=ipa,dc=cool '(&(objectClass=posixAccount)(uid=user at ad.ipa.cool))'
SASL/GSSAPI authentication started
SASL username: admin at XS.IPA.COOL
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=xs,dc=ipa,dc=cool> with scope subtree
# filter: (&(objectClass=posixAccount)(uid=user at ad.ipa.cool))
# requesting: ALL
#

# user at ad.ipa.cool, users, compat, xs.ipa.cool
dn: uid=user at ad.ipa.cool,cn=users,cn=compat,dc=xs,dc=ipa,dc=cool
objectClass: ipaOverrideTarget
objectClass: posixAccount
objectClass: top
cn: YO!
gidNumber: 967001113
gecos: YO!
ipaAnchorUUID:: <some base64 value>
uidNumber: 967001113
loginShell: /bin/bash
homeDirectory: /home/ad.ipa.cool/user
uid: user at ad.ipa.cool

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1



>
>Regards,
>
>Hanoz
>
>
>
>On Wed, Feb 22, 2017 at 8:40 AM, Hanoz Elavia <h.elavia at atomiccartoons.com>
>wrote:
>
>> Hey Alex,
>>
>> Thanks, I ran ipa-compat-manage status and it shows Plugin enabled. I'll
>> have a look at the link and see if we can change the query to obtain the
>> info required.
>>
>> Regards,
>>
>> Hanoz
>>
>>
>> *Hanoz Elavia |*  IT Manager
>> *O:* 604-734-2866 *|*  *www.atomiccartoons.com
>> <http://www.atomiccartoons.com>*
>> 112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6
>>
>> On Wed, Feb 22, 2017 at 8:34 AM, Alexander Bokovoy <abokovoy at redhat.com>
>> wrote:
>>
>>> On ke, 22 helmi 2017, Hanoz Elavia wrote:
>>>
>>>> Thanks Alex,
>>>>
>>>> Does it also means that I'll have to install the FreeIPA server with
>>>> --enable-compat ? I didn't do that.
>>>>
>>>
>>> check ipa-compat-manage tool.
>>>
>>>
>>>> Regards,
>>>>
>>>> Hanoz
>>>>
>>>>
>>>> *Hanoz Elavia |*  IT Manager
>>>> *O:* 604-734-2866 *|*  *www.atomiccartoons.com
>>>> <http://www.atomiccartoons.com>*
>>>> 112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6
>>>>
>>>> On Wed, Feb 22, 2017 at 7:22 AM, Alexander Bokovoy <abokovoy at redhat.com>
>>>> wrote:
>>>>
>>>> On ke, 22 helmi 2017, Hanoz Elavia wrote:
>>>>>
>>>>> Hey Alex,
>>>>>>
>>>>>> Thanks for the link, isn't RFC 2307 implemented as Services for Unix in
>>>>>> Windows 2008 R2? Apologies for not mentioning this earlier but I
>>>>>> haven't
>>>>>> enabled that mainly because SSSD now maps the IDs. Also, in the newer
>>>>>> version of the Windows Server, SFU seems to have been discontinued.
>>>>>>
>>>>>> I think you are confused by the names. What Compat tree provides is an
>>>>> interface on IPA side to look up identities of AD users and groups over
>>>>> LDAP. Compat tree will do lookup through SSSD on your behalf. This means
>>>>> we don't depend on how Windows side provides or does not provide
>>>>> attributes.
>>>>> Everything SSSD can resolve, can be returned, be it stored in AD LDAP,
>>>>> generated by SSSD, or stored in ID overrides in IPA.
>>>>>
>>>>> But the query format is the one described in RFC 2307 because this is
>>>>> what all nss implementations like nss_ldap or similar ones use in
>>>>> UNIX-like environments. Windows Server is merely implementing the same
>>>>> LDAP schema to allow interoperability with the same clients. Think of
>>>>> Compat Tree in IPA as doing the same, just dynamically.
>>>>>
>>>>>
>>>>> --
>>>>> / Alexander Bokovoy
>>>>>
>>>>>
>>> --
>>> / Alexander Bokovoy
>>>
>>
>>

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list