Thanks Alexander, I have rebuilt the server with compatibility and I can now query AD users. I'll just have to confirm with Dell / EMC whether the Isilon can now handle this.
Regards, Hanoz On Wed, Feb 22, 2017 at 10:26 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On ke, 22 helmi 2017, Jason B. Nance wrote: > >> For example, for user that would be (&(objectClass=posixAccount)(uid=%s)) >>> where %s is ad_u...@server.com according to your example. >>> >>> This is what would be intercepted and queried through SSSD. >>> >>> For example: >>> >>> $ ldapsearch -Y GSSAPI -b cn=compat,dc=xs,dc=ipa,dc=cool >>> '(&(objectClass=posixAccount)(uid=u...@ad.ipa.cool))' >>> SASL/GSSAPI authentication started >>> SASL username: ad...@xs.ipa.cool >>> SASL SSF: 56 >>> SASL data security layer installed. >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base <cn=compat,dc=xs,dc=ipa,dc=cool> with scope subtree >>> # filter: (&(objectClass=posixAccount)(uid=u...@ad.ipa.cool)) >>> # requesting: ALL >>> # >>> >>> # u...@ad.ipa.cool, users, compat, xs.ipa.cool >>> dn: uid=u...@ad.ipa.cool,cn=users,cn=compat,dc=xs,dc=ipa,dc=cool >>> objectClass: ipaOverrideTarget >>> objectClass: posixAccount >>> objectClass: top >>> cn: YO! >>> gidNumber: 967001113 >>> gecos: YO! >>> ipaAnchorUUID:: <some base64 value> >>> uidNumber: 967001113 >>> loginShell: /bin/bash >>> homeDirectory: /home/ad.ipa.cool/user >>> uid: u...@ad.ipa.cool >>> >>> # search result >>> search: 4 >>> result: 0 Success >>> >>> # numResponses: 2 >>> # numEntries: 1 >>> >> >> I'm not able to recreate this (on FreeIPA 4.4.0). "ipa-compat-manage >> status" says "Plugin Enabled", but searches for AD users yield no >> results: >> > Sorry, I forgot mention yesterday that if you didn't use > 'ipa-adtrust-install --enable-compat' then one thing is missing from > compat tree configuration to allow resolution of AD users. Luckily, it > is a simple ldapadd that can fix it. You can use ipa-ldap-updater: > > > # cat 80-enable-compat-nsswitch.update dn: cn=users,cn=Schema > Compatibility,cn=plugins,cn=config > add:schema-compat-lookup-nsswitch: user > > dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config > add:schema-compat-lookup-nsswitch: group > # ipa-ldap-updater ./80-enable-compat-nsswitch.update > and then restart 389-ds. > > As a side note, I'm also not able to use GSSAPI auth as you did: >> >> $ kinit >> Password for jna...@lab.gen.zone: >> $ ldapsearch -Y GSSAPI -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone >> '(&(objectClass=posixAccount)(uid=jna...@lab.gen.zone))' >> SASL/GSSAPI authentication started >> ldap_sasl_interactive_bind_s: Invalid credentials (49) >> > I used IPA user, not AD user to bind with GSSAPI. > > In FreeIPA 4.4 it should also work with AD user as well but only if the > user has ID override entry, even empty one: > > # ipa idoverrideuser-add 'Default Trust View' administra...@ad.ipa.cool > > and now administra...@ad.ipa.cool will be able to issue ldap searches > against IPA LDAP server from Linux machines. Note that ldp.exe will > still be unable to perform searches against IPA LDAP until > https://github.com/cyrusimap/cyrus-sasl/pull/424 is released in a > distribution. > > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project