[Freeipa-users] Question about ipa user accounts and the compat container
Alexander Bokovoy
abokovoy at redhat.com
Sun Mar 12 20:45:03 UTC 2017
On su, 12 maalis 2017, Robert Johnson wrote:
>Sorry I should have given some more information. We are trying to allow the
>user's from the trusted windows domain to login to the Solaris client and
>the only way I have found to have this work is by using the
>cn=compat,$SUFFIX for the passwd as this will force the ldap client to to
>use the slapi plugin on the ipa server. This required using ldapclient
>manual on the solaris system instead of the default profile (which uses
>cn=accounts for passwd).
>
>ex:
>ldapclient list for default profile shows: (supports IPA users just fine)
>NS_LDAP_SEARCH_BASEDN= $SUFFIX
>NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,$SUFFIX
>NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,$SUFFIX
>
>ldaplist list for my manual profile shows: (supports windows users just
>fine)
>NS_LDAP_SEARCH_BASEDN= $SUFFIX
>NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=compat,$SUFFIX
>NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,$SUFFIX
>
>What we were trying to do is also allow IPA created user's to login to the
>Solaris client in addition to the windows user's. This is where I started
>to run into problems with the pam_ldap module as it was detecting the
>duplicate entries from the "bug" above.
Thanks for the details.
So, why don't you set NS_LDAP_SEARCH_BASEDN = cn=compat,$SUFFIX?
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list