On 05/12/2015 04:48 PM, Gould, Joshua wrote:
Hopefully I¹m missing something simple.

For an IPA user:
$ ldapsearch -x ³(&(uid=ipa_user)(objectclass=posixAccount))² -b

This returns a match.

For an AD user:
$ ldapsearch -x ³(&(uid=ad_user)(objectclass=posixAccount))² -b

Does not return any matches.

I verified that all my IPA servers have the compatibility plugin enabled.

# ipa-compat-manage status
Directory Manager password:

Plugin Enabled

Can you log into a server as an IPA user and then su to an AD user with authentication? If that works it means that trust is actually working. I would start with confirming that part. If we know that the trust is actually working we can move to debugging the compat-plugin. If it is not working we would know why nothing is showing up in the tree. Looking at SSSD trace on IPA server that corresponds to the time when you run the LDAP search might shed some light on what is going on.

On 5/12/15, 2:14 PM, "Alexander Bokovoy" <aboko...@redhat.com> wrote:

Can you configure SSSD on RHEL5 clients? A simple LDAP provider with a
base cn=compat,dc=ipa,dc=example,dc=com.

Simple ldapsearch needs to include proper filter, like what SSSD or
nss_ldap are using. slapi-nis is programmed to specifically respond to
their queries, not to any request over compat tree.

If you want to check from the command line, use a filter like


/ Alexander Bokovoy

Thank you,
Dmitri Pal

Director of Engineering for IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to