I have default_domain_suffix = example.com in my [sssd] section of sssd.conf. On RHEL6/7 systems, I’m able to login or issue any other command without the suffix. Is it safe to assume it works the same in RHEL5? I also tried with domain in all lower case and all upper case as well.
On 5/13/15, 9:16 AM, "Martin Kosek" <[email protected]> wrote: >On 05/12/2015 10:48 PM, Gould, Joshua wrote: >> Hopefully I¹m missing something simple. >> >> For an IPA user: >> $ ldapsearch -x ³(&(uid=ipa_user)(objectclass=posixAccount))² -b >> dc=ipa,dc=example,dc=com >> >> This returns a match. >> >> For an AD user: >> $ ldapsearch -x ³(&(uid=ad_user)(objectclass=posixAccount))² -b >> cn=compat,dc=ipa,dc=example,dc=com >> >> Does not return any matches. >> >> I verified that all my IPA servers have the compatibility plugin >>enabled. >> >> # ipa-compat-manage status >> Directory Manager password: >> >> Plugin Enabled >> # > >I may be asking the obvious, but "ad_user" is fully qualified, right? I.e. >[email protected]? > >Testing the log in on the server system as Dmitri advised is also a good >test >to make. > >> >> >> On 5/12/15, 2:14 PM, "Alexander Bokovoy" <[email protected]> wrote: >> >>> Can you configure SSSD on RHEL5 clients? A simple LDAP provider with a >>> base cn=compat,dc=ipa,dc=example,dc=com. >>> >>> Simple ldapsearch needs to include proper filter, like what SSSD or >>> nss_ldap are using. slapi-nis is programmed to specifically respond to >>> their queries, not to any request over compat tree. >>> >>> If you want to check from the command line, use a filter like >>> >>> (&(uid=AD_user)(objectclass=posixaccount)) >>> >>> >>> -- >>> / Alexander Bokovoy >> >> >>[(&(uid=goul09)(objectclass=posixAccount))][cn=accounts,dc=unix,dc=osumc, >>dc >> =edu] >>> >> >> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
