[Freeipa-users] Question about ipa user accounts and the compat container

[Alexander Bokovoy]

On su, 12 maalis 2017, Robert Johnson wrote:
>Sorry I should have given some more information. We are trying to allow the
>user's from the trusted windows domain to login to the Solaris client and
>the only way I have found to have this work is by using the
>cn=compat,$SUFFIX for the passwd as this will force the ldap client to to
>use the slapi plugin on the ipa server.  This required using ldapclient
>manual on the solaris system instead of the default profile (which uses
>cn=accounts for passwd).
>
>ex:
>ldapclient list for default profile shows: (supports IPA users just fine)
>NS_LDAP_SEARCH_BASEDN= $SUFFIX
>NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,$SUFFIX
>NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,$SUFFIX
>
>ldaplist list for my manual profile shows: (supports windows users just
>fine)
>NS_LDAP_SEARCH_BASEDN= $SUFFIX
>NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=compat,$SUFFIX
>NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,$SUFFIX
>
>What we were trying to do is also allow IPA created user's to login to the
>Solaris client in addition to the windows user's.  This is where I started
>to run into problems with the pam_ldap module as it was detecting the
>duplicate entries from the "bug" above.
Thanks for the details.

So, why don't you set NS_LDAP_SEARCH_BASEDN = cn=compat,$SUFFIX?


-- 
/ Alexander Bokovoy