On Tue, 12 May 2015, Gould, Joshua wrote:
We’re using IPA Server 4.1.0-18. We have a trust between IPA and AD
with SID mapping. In our setup, AD would be example.com and IPA would
be say ipa.example.com.

I’m having some issues configuring both RHEL5 and AIX to work with the
compat tree. In both cases, kerberos works with IPA and AD users but
LDAP only works with IPA users and not AD users.

Should AD users be returned if I search uid=AD_user under
cn=users,cn=compat,dc=ipa,dc=example,dc=com? Is this where my RHEL5 and
AIX clients should be searching? I’m not getting any matches and I’ve
verified that the compat plugin is enabled on our servers. I need a
little more to go on as far as if I’m looking in the wrong sub-tree or
going about this the wrong way.
Can you configure SSSD on RHEL5 clients? A simple LDAP provider with a
base cn=compat,dc=ipa,dc=example,dc=com.

Simple ldapsearch needs to include proper filter, like what SSSD or
nss_ldap are using. slapi-nis is programmed to specifically respond to
their queries, not to any request over compat tree.

If you want to check from the command line, use a filter like

(&(uid=AD_user)(objectclass=posixaccount))


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to