I have default_domain_suffix = example.com in my [sssd] section of
sssd.conf. On RHEL6/7 systems, I’m able to login or issue any other
command without the suffix. Is it safe to assume it works the same in
RHEL5? I also tried with domain in all lower case and all upper case as
well.

On 5/13/15, 9:16 AM, "Martin Kosek" <mko...@redhat.com> wrote:

>On 05/12/2015 10:48 PM, Gould, Joshua wrote:
>> Hopefully I¹m missing something simple.
>> 
>> For an IPA user:
>> $ ldapsearch -x ³(&(uid=ipa_user)(objectclass=posixAccount))² -b
>> dc=ipa,dc=example,dc=com
>> 
>> This returns a match.
>> 
>> For an AD user:
>> $ ldapsearch -x ³(&(uid=ad_user)(objectclass=posixAccount))² -b
>> cn=compat,dc=ipa,dc=example,dc=com
>> 
>> Does not return any matches.
>> 
>> I verified that all my IPA servers have the compatibility plugin
>>enabled.
>> 
>> # ipa-compat-manage status
>> Directory Manager password:
>> 
>> Plugin Enabled
>> #
>
>I may be asking the obvious, but "ad_user" is fully qualified, right? I.e.
>adu...@my.ad.domain.test?
>
>Testing the log in on the server system as Dmitri advised is also a good
>test
>to make.
>
>> 
>> 
>> On 5/12/15, 2:14 PM, "Alexander Bokovoy" <aboko...@redhat.com> wrote:
>> 
>>> Can you configure SSSD on RHEL5 clients? A simple LDAP provider with a
>>> base cn=compat,dc=ipa,dc=example,dc=com.
>>>
>>> Simple ldapsearch needs to include proper filter, like what SSSD or
>>> nss_ldap are using. slapi-nis is programmed to specifically respond to
>>> their queries, not to any request over compat tree.
>>>
>>> If you want to check from the command line, use a filter like
>>>
>>> (&(uid=AD_user)(objectclass=posixaccount))
>>>
>>>
>>> -- 
>>> / Alexander Bokovoy
>> 
>> 
>>[(&(uid=goul09)(objectclass=posixAccount))][cn=accounts,dc=unix,dc=osumc,
>>dc
>> =edu]
>>>
>> 
>> 
>> 
>


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to