On 05/12/2015 04:48 PM, Gould, Joshua wrote:
Hopefully I¹m missing something simple.
For an IPA user:
$ ldapsearch -x ³(&(uid=ipa_user)(objectclass=posixAccount))² -b
dc=ipa,dc=example,dc=com
This returns a match.
For an AD user:
$ ldapsearch -x ³(&(uid=ad_user)(objectclass=posixAccount))² -b
cn=compat,dc=ipa,dc=example,dc=com
Does not return any matches.
I verified that all my IPA servers have the compatibility plugin enabled.
# ipa-compat-manage status
Directory Manager password:
Plugin Enabled
#
Can you log into a server as an IPA user and then su to an AD user with
authentication?
If that works it means that trust is actually working. I would start
with confirming that part.
If we know that the trust is actually working we can move to debugging
the compat-plugin. If it is not working we would know why nothing is
showing up in the tree.
Looking at SSSD trace on IPA server that corresponds to the time when
you run the LDAP search might shed some light on what is going on.
On 5/12/15, 2:14 PM, "Alexander Bokovoy" <aboko...@redhat.com> wrote:
Can you configure SSSD on RHEL5 clients? A simple LDAP provider with a
base cn=compat,dc=ipa,dc=example,dc=com.
Simple ldapsearch needs to include proper filter, like what SSSD or
nss_ldap are using. slapi-nis is programmed to specifically respond to
their queries, not to any request over compat tree.
If you want to check from the command line, use a filter like
(&(uid=AD_user)(objectclass=posixaccount))
--
/ Alexander Bokovoy
[(&(uid=goul09)(objectclass=posixAccount))][cn=accounts,dc=unix,dc=osumc,dc
=edu]
--
Thank you,
Dmitri Pal
Director of Engineering for IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
