On 05/13/2015 09:24 AM, Gould, Joshua wrote: > I have default_domain_suffix = example.com in my [sssd] section of > sssd.conf. On RHEL6/7 systems, I’m able to login or issue any other > command without the suffix. Is it safe to assume it works the same in > RHEL5? I also tried with domain in all lower case and all upper case as > well. I think you have to use fully qualified names with legacy versions against compat tree. Can you try a FQ name from RHEL5? > > On 5/13/15, 9:16 AM, "Martin Kosek" <[email protected]> wrote: > >> On 05/12/2015 10:48 PM, Gould, Joshua wrote: >>> Hopefully I¹m missing something simple. >>> >>> For an IPA user: >>> $ ldapsearch -x ³(&(uid=ipa_user)(objectclass=posixAccount))² -b >>> dc=ipa,dc=example,dc=com >>> >>> This returns a match. >>> >>> For an AD user: >>> $ ldapsearch -x ³(&(uid=ad_user)(objectclass=posixAccount))² -b >>> cn=compat,dc=ipa,dc=example,dc=com >>> >>> Does not return any matches. >>> >>> I verified that all my IPA servers have the compatibility plugin >>> enabled. >>> >>> # ipa-compat-manage status >>> Directory Manager password: >>> >>> Plugin Enabled >>> # >> I may be asking the obvious, but "ad_user" is fully qualified, right? I.e. >> [email protected]? >> >> Testing the log in on the server system as Dmitri advised is also a good >> test >> to make. >> >>> >>> On 5/12/15, 2:14 PM, "Alexander Bokovoy" <[email protected]> wrote: >>> >>>> Can you configure SSSD on RHEL5 clients? A simple LDAP provider with a >>>> base cn=compat,dc=ipa,dc=example,dc=com. >>>> >>>> Simple ldapsearch needs to include proper filter, like what SSSD or >>>> nss_ldap are using. slapi-nis is programmed to specifically respond to >>>> their queries, not to any request over compat tree. >>>> >>>> If you want to check from the command line, use a filter like >>>> >>>> (&(uid=AD_user)(objectclass=posixaccount)) >>>> >>>> >>>> -- >>>> / Alexander Bokovoy >>> >>> [(&(uid=goul09)(objectclass=posixAccount))][cn=accounts,dc=unix,dc=osumc, >>> dc >>> =edu] >>> >>> >
-- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
