On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote:
> hi everyone
> 
> there is a master IPA which in some weird way puts AD users into its ldap
> catalog. I say weird cause there is no trust nor other sync established,
> there was a trust agreement, one way type, but now 'trust-find' shows
> nothing, that trust was removed.
> 
> but still when I create a user @AD DS a second later I see it in IPA's ldap,
> eg.
> 
> dn: uid=ccnrt...@ccnr.aaa.private.dom,cn=users,cn=compat,dc=private,dc=c
>  cnr,dc=aaa,dc=private,dc=dom
> 
> how to trace the culprit config responsible for this?

Check the DN, this is not the IPA tree (cn=account), but the compat tree
(cn=compat) populated by the slapi-nis plugin. The intent is to make the
AD users available to non-SSSD clients that can only use LDAP as an
interface.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to