On Fri, 2016-06-10 at 12:12 +0300, Alexander Bokovoy wrote:
> On Fri, 10 Jun 2016, Jakub Hrozek wrote:
> > On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote:
> > > hi everyone
> > > 
> > > there is a master IPA which in some weird way puts AD users into
> > > its ldap
> > > catalog. I say weird cause there is no trust nor other sync
> > > established,
> > > there was a trust agreement, one way type, but now 'trust-find'
> > > shows
> > > nothing, that trust was removed.
> > > 
> > > but still when I create a user @AD DS a second later I see it in
> > > IPA's ldap,
> > > eg.
> > > 
> > > dn: uid=ccnrt...@ccnr.aaa.private.dom,cn=users,cn=compat,dc=priva
> > > te,dc=c
> > >  cnr,dc=aaa,dc=private,dc=dom
> > > 
> > > how to trace the culprit config responsible for this?
> > 
> > Check the DN, this is not the IPA tree (cn=account), but the compat
> > tree
> > (cn=compat) populated by the slapi-nis plugin. The intent is to
> > make the
> > AD users available to non-SSSD clients that can only use LDAP as an
> > interface.
> 
> Yes. If you enabled slapi-nis on IPA master but didn't establish
> actual
> trust to AD and instead added an SSSD configuration to lookup AD
> users
> directly, then slapi-nis will happily ask SSSD for whatever users
> with @
> in the name were requested by the LDAP clients and SSSD would look
> them
> up in AD.
but would entries from AD wound up in IPA's ldap?
I'm poking around and still am puzzled, I believe I've enabled nis on a
replica but it's not doing it there, those AD users are not in IPA
replica ldap whereas they exist on the master.
> Not sure how useful is that at all but yes, this is a side-effect of
> slapi-nis features.
> 
> -- 
> / Alexander Bokovoy
> 
> 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to