On Fri, 2016-06-10 at 12:12 +0300, Alexander Bokovoy wrote: > On Fri, 10 Jun 2016, Jakub Hrozek wrote: > > On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote: > > > hi everyone > > > > > > there is a master IPA which in some weird way puts AD users into > > > its ldap > > > catalog. I say weird cause there is no trust nor other sync > > > established, > > > there was a trust agreement, one way type, but now 'trust-find' > > > shows > > > nothing, that trust was removed. > > > > > > but still when I create a user @AD DS a second later I see it in > > > IPA's ldap, > > > eg. > > > > > > dn: [email protected],cn=users,cn=compat,dc=priva > > > te,dc=c > > > cnr,dc=aaa,dc=private,dc=dom > > > > > > how to trace the culprit config responsible for this? > > > > Check the DN, this is not the IPA tree (cn=account), but the compat > > tree > > (cn=compat) populated by the slapi-nis plugin. The intent is to > > make the > > AD users available to non-SSSD clients that can only use LDAP as an > > interface. > > Yes. If you enabled slapi-nis on IPA master but didn't establish > actual > trust to AD and instead added an SSSD configuration to lookup AD > users > directly, then slapi-nis will happily ask SSSD for whatever users > with @ > in the name were requested by the LDAP clients and SSSD would look > them > up in AD. > > Not sure how useful is that at all but yes, this is a side-effect of > slapi-nis features. > this is very freaking useful :) I was wondering how to get my radius there... and, ups, just like that, it was there, so thanks! > -- > / Alexander Bokovoy > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
