On Fri, 10 Jun 2016, lejeczek wrote:
On Fri, 2016-06-10 at 12:12 +0300, Alexander Bokovoy wrote:
On Fri, 10 Jun 2016, Jakub Hrozek wrote:
> On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote:
> > hi everyone
> >
> > there is a master IPA which in some weird way puts AD users into
> > its ldap
> > catalog. I say weird cause there is no trust nor other sync
> > established,
> > there was a trust agreement, one way type, but now 'trust-find'
> > shows
> > nothing, that trust was removed.
> >
> > but still when I create a user @AD DS a second later I see it in
> > IPA's ldap,
> > eg.
> >
> > dn: uid=ccnrt...@ccnr.aaa.private.dom,cn=users,cn=compat,dc=priva
> > te,dc=c
> >  cnr,dc=aaa,dc=private,dc=dom
> >
> > how to trace the culprit config responsible for this?
>
> Check the DN, this is not the IPA tree (cn=account), but the compat
> tree
> (cn=compat) populated by the slapi-nis plugin. The intent is to
> make the
> AD users available to non-SSSD clients that can only use LDAP as an
> interface.

Yes. If you enabled slapi-nis on IPA master but didn't establish
actual
trust to AD and instead added an SSSD configuration to lookup AD
users
directly, then slapi-nis will happily ask SSSD for whatever users
with @
in the name were requested by the LDAP clients and SSSD would look
them
up in AD.

Not sure how useful is that at all but yes, this is a side-effect of
slapi-nis features.

this is very freaking useful :) I was wondering how to get my radius
there... and, ups, just like that, it was there, so thanks!
There are no passwords in that tree.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to