[Freeipa-users] Re: Is it possible to use the FreeIPA LDAP interface to authenticate AD users?

You can do this by enabling the compat tree in FreeIPA. I believe this will involve you having to run ipa-adtrust-install --enable-compat on all IPA servers that are involved either being a trust controller or trust agent. You'll essentially have these trees after that you can use: Groups: cn=g

[Freeipa-users] Re: How far I can take the use of short unqualified names/groups with an AD integrated FreeIPA setup?

From what I understand, you can modify sssd.conf to make it so the output of `id` or `getent` has short names. As long as domain resolution order is set (which it sounds like you do), all you would need to do is modify sssd.conf on all the IPA clients (NOT the IPA servers). This is from my notes

[Freeipa-users] Re: Deploying freeipa-client with ansible-freeipa behind haproxy

Hello, On Mon, Oct 26, 2020 at 2:13 PM Ulrich-Lorenz Schlüter via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > Hello there, > > when I deploy the freeipa-client to hosts behind a haproxy most of the > hostnames get changed to the rDNS entry of the haproxy. The > freeipa-clients

[Freeipa-users] Is it possible to use the FreeIPA LDAP interface to authenticate AD users?

My use case on AWS involves ephemeral or auto-scaling servers that do not live long enough to justify a formal IPA enroll/un-enroll process. We have a great AD-integrated IPA system running at the moment and I've been able to configure a light test client that trusts the IPA CA certificate and

[Freeipa-users] Deploying freeipa-client with ansible-freeipa behind haproxy

Hello there, when I deploy the freeipa-client to hosts behind a haproxy most of the hostnames get changed to the rDNS entry of the haproxy. The freeipa-clients get enrolled with this name. I know I can set --hostname but how to do this with ansible-freeipa? Thanks in advance & best regards Uli __

[Freeipa-users] Re: Question about ID Views in AD Trust

On su, 25 loka 2020, Vinícius Ferrão via FreeIPA-users wrote: Hi Alexander, On 24 Oct 2020, at 14:41, Alexander Bokovoy <[1]aboko...@redhat.com>

[Freeipa-users] Re: ipa migrate failing

Mark Reynolds via FreeIPA-users wrote: > Please provide the Directory Server access log snippet from this failure > as well. The issue is it can't find the groups on the REMOTE ldap server, not the IPA server. If you could provide a sample entry for one of the remote groups that would be helpful.

[Freeipa-users] Re: ipa migrate failing

Please provide the Directory Server access log snippet from this failure as well. Thanks, Mark On 10/26/20 7:59 AM, Per Qvindesland via FreeIPA-users wrote: Hi While running the command:   echo password123 | ipa migrate-ds --with-compat ldap://ipofldap:389 --bind-dn="cn=admin,dc=company,dc=

[Freeipa-users] ipa migrate failing

Hi While running the command:   echo password123 | ipa migrate-ds --with-compat ldap://ipofldap:389 --bind-dn="cn=admin,dc=company,dc=com"  --base-dn=dc=company,dc=com --user-container=ou=people --group-container=ou=groups --scope=subtree then it's failing with ipa: ERROR: group LDAP search