On Fri, 10 Jun 2016, lejeczek wrote:
On Fri, 2016-06-10 at 11:01 +0200, Jakub Hrozek wrote:
On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote:
> hi everyone
> there is a master IPA which in some weird way puts AD users into
> its ldap
> catalog. I say weird cause there is no trust nor other sync
> established,
> there was a trust agreement, one way type, but now 'trust-find'
> shows
> nothing, that trust was removed.
> but still when I create a user @AD DS a second later I see it in
> IPA's ldap,
> eg.
> dn: uid=ccnrt...@ccnr.aaa.private.dom,cn=users,cn=compat,dc=private
> ,dc=c
>  cnr,dc=aaa,dc=private,dc=dom
> how to trace the culprit config responsible for this?

Check the DN, this is not the IPA tree (cn=account), but the compat
(cn=compat) populated by the slapi-nis plugin. The intent is to make
AD users available to non-SSSD clients that can only use LDAP as an

any chance this plugin gets included without user/admin intention, eg.
during migrate-ds ?
The slapi-nis plugin is enabled by default when IPA is installed because
ou=sudoers tree is emulated by the slapi-nis.

is ipa toolkit or I have to go directly to ldap to de/activate
plugin(s) ?
See ipa-compat-manage

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to