On Fri, 10 Jun 2016, lejeczek wrote:
On Fri, 2016-06-10 at 12:12 +0300, Alexander Bokovoy wrote:
On Fri, 10 Jun 2016, Jakub Hrozek wrote:
> On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote:
> > hi everyone
> > there is a master IPA which in some weird way puts AD users into
> > its ldap
> > catalog. I say weird cause there is no trust nor other sync
> > established,
> > there was a trust agreement, one way type, but now 'trust-find'
> > shows
> > nothing, that trust was removed.
> > but still when I create a user @AD DS a second later I see it in
> > IPA's ldap,
> > eg.
> > dn: uid=ccnrt...@ccnr.aaa.private.dom,cn=users,cn=compat,dc=priva
> > te,dc=c
> > cnr,dc=aaa,dc=private,dc=dom
> > how to trace the culprit config responsible for this?
> Check the DN, this is not the IPA tree (cn=account), but the compat
> (cn=compat) populated by the slapi-nis plugin. The intent is to
> make the
> AD users available to non-SSSD clients that can only use LDAP as an
Yes. If you enabled slapi-nis on IPA master but didn't establish
trust to AD and instead added an SSSD configuration to lookup AD
directly, then slapi-nis will happily ask SSSD for whatever users
in the name were requested by the LDAP clients and SSSD would look
up in AD.
Not sure how useful is that at all but yes, this is a side-effect of
this is very freaking useful :) I was wondering how to get my radius
there... and, ups, just like that, it was there, so thanks!
There are no passwords in that tree.
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project