You can do this by enabling the compat tree in FreeIPA. I believe this will
involve you having to run ipa-adtrust-install --enable-compat on all IPA
servers that are involved either being a trust controller or trust agent.
You'll essentially have these trees after that you can use:
Groups: cn=g
From what I understand, you can modify sssd.conf to make it so the output of
`id` or `getent` has short names. As long as domain resolution order is set
(which it sounds like you do), all you would need to do is modify sssd.conf on
all the IPA clients (NOT the IPA servers). This is from my notes
Hello,
On Mon, Oct 26, 2020 at 2:13 PM Ulrich-Lorenz Schlüter via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
>
> Hello there,
>
> when I deploy the freeipa-client to hosts behind a haproxy most of the
> hostnames get changed to the rDNS entry of the haproxy. The
> freeipa-clients
My use case on AWS involves ephemeral or auto-scaling servers that do
not live long enough to justify a formal IPA enroll/un-enroll process.
We have a great AD-integrated IPA system running at the moment and I've
been able to configure a light test client that trusts the IPA CA
certificate and
Hello there,
when I deploy the freeipa-client to hosts behind a haproxy most of the
hostnames get changed to the rDNS entry of the haproxy. The
freeipa-clients get enrolled with this name. I know I can set --hostname
but how to do this with ansible-freeipa?
Thanks in advance & best regards
Uli
__
On su, 25 loka 2020, Vinícius Ferrão via FreeIPA-users wrote:
Hi Alexander,
On 24 Oct 2020, at 14:41, Alexander Bokovoy <[1]aboko...@redhat.com>
Mark Reynolds via FreeIPA-users wrote:
> Please provide the Directory Server access log snippet from this failure
> as well.
The issue is it can't find the groups on the REMOTE ldap server, not the
IPA server. If you could provide a sample entry for one of the remote
groups that would be helpful.
Please provide the Directory Server access log snippet from this failure
as well.
Thanks,
Mark
On 10/26/20 7:59 AM, Per Qvindesland via FreeIPA-users wrote:
Hi
While running the command: echo password123 | ipa migrate-ds
--with-compat ldap://ipofldap:389
--bind-dn="cn=admin,dc=company,dc=
Hi
While running the command: echo password123 | ipa migrate-ds --with-compat
ldap://ipofldap:389 --bind-dn="cn=admin,dc=company,dc=com"
--base-dn=dc=company,dc=com --user-container=ou=people --group-container=ou=groups
--scope=subtree then it's failing with ipa:
ERROR: group LDAP search