On Tue, 24 Nov 2015, Jeffrey Stormshak wrote:
I went to review the ‘ip_provider’ and that looks like a ‘sssd.conf’
setting.  The sssd RPM isn’t located on the 5.5 clients; nor is it in
the YUM Channels for 5.5 base and 5.5 patch.  So is the recommendation
here to find any 5.X version of sssd RPM and use that for this
configuration?  Sorry, being a newbie on this product realistically
isn’t helping here I’m sure …

The ipa-advise, is that part of the ipa-client RPM?  That too, doesn’t
exist on the 5.5 distribution as well.  Even the version required to
fix the openssl only worked with the 5.7 base version.  Am I complete
doomed for 5.5?  Cards are stacked for sure.  Nonetheless …
ipa-advise is a tool on IPA server that provides recipes how to
configure different clients for a typical scenarios involving trust to

Read the manual for the tool to get more information.

For legacy clients where there is no recent enough SSSD to support trust
to AD natively, ipa-advise recommends using schema compatibility plugin
to expose both IPA and AD users under same LDAP tree. This is what you
see in cn=users,cn=compat,dc=example,dc=com. If you see cn=compat in the
LDAP base DN, you know you are looking into the compatibility tree.

Compatibility tree is handled by a special plugin which combines data
from the primary IPA tree (cn=accounts,dc=example,dc=com) and from SSSD
on IPA server. It also exposes ou=SUDOers subtree to allow SUDO
application to work with sudo rules stored in IPA LDAP (they are not in
the same format as SUDO itself expects, thus _compatibility_ subtree).

I feel so close though…  Auth and Sudo works on 5.5 but something as
simple as users changing passwords seems so simple to provide?
Finally, password changes are not supported in cn=compat subtree. This
is simply not implemented by schema compatibility plugin.

You haven't answered earlier when people asked whether you are using
cn=compat tree because you need to get information about Active
Directory users or not. If you don't need integration with Active
Directory, change LDAP base DN in your configuration to
cn=accounts,dc=example,dc=com, to point your clients to the primary IPA
subtree where all users and groups are available. That subtree is the
main one and we do support password changes for DNs in it.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to