On Mon, 13 Apr 2015, David Guertin wrote:
In our newly-setup IPA environment, users can log in to RHEL clients with the username <username>@addomain. This works, but I've run into a problem with some RHEL 5 clients that are Apache servers -- the Apache UserDir mappings no longer work. Many of the users have web pages served from the public_html directory in their home directory. With our old NIS configuration, the URL is of the form http://hostname/~username. With the new IPA configuration, these URLs no longer work; the web pages are now found in http://hostname/~username@addomain.

I can think of several ways to approach this problem, but my first thought is to have IPA recognize the AD domain as the default domain, so that our users could log in with <username> instead of <username>@addomain, and the existing URLs will work. Is this possible?

I was looking at the auth_to_local setting in /etc/krb5.conf, but I couldn't figure out what to do with it.
auth_to_local is for a different purpose.

It is not possible to change SSSD to use default domain of AD forest
root domain on IPA master because you'll break the compat tree and SSSD
on IPA clients. Compat tree and extdom plugin are expecting to have
normalized user names on IPA master. Additionally, compat tree is
expecting normalized names to come from legacy clients, it is the only
way we efficiently recognizing these requests to be done against AD
users and not doing a search for every misnamed IPA user.

Said that, you can set default domain in SSSD configuration on the
legacy clients (RHEL 5) as then SSSD will ensure proper fully-qualified
name will be sent towards compat tree and non-qualified name can be
asked on the client (RHEL 5) side.

However, this will only work in case you have a single AD domain in a
forest. If you have more than one AD domain, you are out of luck.

I'd suggest looking into mod_rewrite configuration to handle @addomain
part in Apache configuration.
/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to