Re: [Freeipa-users] ldapsearch for AD users

Alexander Bokovoy Wed, 22 Feb 2017 22:33:07 -0800

On ke, 22 helmi 2017, Jason B. Nance wrote:

For example, for user that would be (&(objectClass=posixAccount)(uid=%s))
where %s is ad_u...@server.com according to your example.


This is what would be intercepted and queried through SSSD.

For example:

$ ldapsearch -Y GSSAPI -b cn=compat,dc=xs,dc=ipa,dc=cool
'(&(objectClass=posixAccount)(uid=u...@ad.ipa.cool))'
SASL/GSSAPI authentication started
SASL username: ad...@xs.ipa.cool
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=xs,dc=ipa,dc=cool> with scope subtree
# filter: (&(objectClass=posixAccount)(uid=u...@ad.ipa.cool))
# requesting: ALL
#

# u...@ad.ipa.cool, users, compat, xs.ipa.cool
dn: uid=u...@ad.ipa.cool,cn=users,cn=compat,dc=xs,dc=ipa,dc=cool
objectClass: ipaOverrideTarget
objectClass: posixAccount
objectClass: top
cn: YO!
gidNumber: 967001113
gecos: YO!
ipaAnchorUUID:: <some base64 value>
uidNumber: 967001113
loginShell: /bin/bash
homeDirectory: /home/ad.ipa.cool/user
uid: u...@ad.ipa.cool

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1


I'm not able to recreate this (on FreeIPA 4.4.0).  "ipa-compat-manage
status" says "Plugin Enabled", but searches for AD users yield no
results:

Sorry, I forgot mention yesterday that if you didn't use
'ipa-adtrust-install --enable-compat' then one thing is missing from
compat tree configuration to allow resolution of AD users. Luckily, it
is a simple ldapadd that can fix it. You can use ipa-ldap-updater:

# cat 80-enable-compat-nsswitch.updatedn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config

add:schema-compat-lookup-nsswitch: user

dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
add:schema-compat-lookup-nsswitch: group

# ipa-ldap-updater ./80-enable-compat-nsswitch.update

and then restart 389-ds.

As a side note, I'm also not able to use GSSAPI auth as you did:

$ kinit
Password for jna...@lab.gen.zone:
$ ldapsearch -Y GSSAPI -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone 
'(&(objectClass=posixAccount)(uid=jna...@lab.gen.zone))'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)

I used IPA user, not AD user to bind with GSSAPI.

In FreeIPA 4.4 it should also work with AD user as well but only if the
user has ID override entry, even empty one:

# ipa idoverrideuser-add 'Default Trust View' administra...@ad.ipa.cool

and now administra...@ad.ipa.cool will be able to issue ldap searches
against IPA LDAP server from Linux machines. Note that ldp.exe will
still be unable to perform searches against IPA LDAP until
https://github.com/cyrusimap/cyrus-sasl/pull/424 is released in a
distribution.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ldapsearch for AD users

Reply via email to