> Thanks all, the suggestions were incredibly helpful and are working well! > > That strikes wishlist item #1 off my list, now on to the next "wish" -- > seeing if FreeIPA's LDAP service can be used to authenticate AD users > for scenarios where we can't provide a full IPA client enrollment option. > > Regards > Chris
I did see your other mail list post and did reply, I'm not sure if you saw it. Anyway, you can do this by enabling the compat tree in FreeIPA. I think this will involve you having to run ipa-adtrust-install --enable-compat on all IPA servers that are involved either being a trust controller or trust agent. You'll have these trees after that you can use: Users: cn=users,cn=compat,dc=ipa,dc=example,dc=com Groups: cn=groups,cn=compat,dc=ipa,dc=example,dc=com What will happen is all IPA users and groups will show up immediately, but the AD users/groups won't until they are asked for (eg from a simple ldapsearch or bind), which should be sufficient. In my previous cases of having to use the compat tree, it was for legacy clients (eg BSD, Solaris/OmniOS/Illumos, and RHEL 5). _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
