These attributes should be available from port 389 and not the global
catalog, please try a command such as:
ldapsearch -H ldap://<ip-address> -D "DOMAIN\Administrator" -W -b
"cn=ypservers,cn=ypserv30,cn=rpcservices,CN=System,dc=example,dc=com"
msSFU30OrderNumber msSFU30MaxUidNumber msSFU30MaxGidNumber
Replacing the root suffix in the search base, the ip-address and bind
credentials.
Kind regards,
Justin Stephenson
On 07/20/2016 08:15 AM, Jan Karásek wrote:
Hi,
thank you for the hint.
In the /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py:
It's working with msSFU30MaxUidNumber and msSFU30OrderNumber.
If I understand it right, it is base uid number and the number of uids
in range.
If not discovered nor given via CLI, then it generate random base and
add some default_range_size.
So these two attributes must be set to use ipa-ad-trust-posix range ?
Could anybody help me how and where to check these attributes ? I have
looked in the ldapsearch dump from my AD(Global calaog) and I can see
these attributes only in schema - so no values assigned.
I'm using W2012 R2.
Thank you,
Jan
------------------------------------------------------------------------
*From: *"Justin Stephenson" <[email protected]>
*To: *"Jan Karásek" <[email protected]>, [email protected]
*Sent: *Tuesday, July 19, 2016 8:36:00 PM
*Subject: *Re: [Freeipa-users] AD trust with POSIX attributes
Hello,
When adding the AD trust using 'ipa-ad-trust-posix' range type then
IPA will search AD for the ID space of existing POSIX attributes to
automatically create a suitable ID range inside IPA.
You can check the exact steps and attributes searched by looking at
the add_range function definition in
/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py
I would suggest reviewing the output of 'ipa idrange-find' to confirm
that the range matches up with the uid and gidNumbers of your AD
environment.
Kind regards,
Justin Stephenson
On 07/19/2016 09:44 AM, Jan Karásek wrote:
Hi,
I am still fighting with storing user's POSIX attributes in AD.
Please can anybody provide some simple reference settings of
IPA-AD trust where users are able to get uid from AD - not from
IPA ID pool ?
I have tried to set values of attributes before and after creating
trust, I have tried different sssd setting but I'm still getting
uid from IPA idrange pool instead of from AD user's attribute.
What exactly is IPA checking when it tries to decide what type of
trust will be set - ['ipa-ad-trust-posix', 'ipa-ad-trust'] ?
Do I have to mandatory fill some AD user's attributes to get it
work ? Currently I'am testing just with uidNumber and gidNumber.
There is almost no documentation about this topic so I don't know
what else I can try ...
Thanks for help,
Jan
------------------------------------------------------------------------
Date: Tue, 21 Jun 2016 21:38:15 +0200
From: Jakub Hrozek <[email protected]>
To: [email protected]
Subject: Re: [Freeipa-users] AD trust with POSIX attributes
Message-ID: <20160621193815.GS29512@hendrix>
Content-Type: text/plain; charset=iso-8859-1
On Tue, Jun 21, 2016 at 01:55:54PM +0200, Jan Kar?sek wrote:
> Hi all,
>
> I have a questions about IPA with AD forest trust. What I am
trying to do is setup environment, where all informations about
users are stored in one place - AD. I would like to read at least
uid, home, shell and sshkey from AD.
>
> I have set up trust with this parameters:
>
> ipa trust-add EXAMPLE.TT --type=ad
--range-type=ipa-ad-trust-posix --admin=administrator
Did you add the POSIX attributes to AD after creating the trust maybe?
>
> [root@ipa1 ~]# ipa idrange-show EXAMPLE.TT_id_range
> Range name: EXAMPLE.TT_id_range
> First Posix ID of the range: 1392000000
> Number of IDs in the range: 200000
> Domain SID of the trusted domain:
S-1-5-21-4123312533-990676102-3576722756
> Range type: Active Directory trust range with POSIX attributes
>
>
> I have set attributes in AD for [email protected]
> - uidNumber -10000
> - homeDirectory -/home/user
> - loginShell - /bin/bash
>
> Trust itself works fine. I can do kinit with [email protected] , I
can run id and getent passwd [email protected] and I can use
[email protected] for ssh.
>
> Problem is, that I am not getting uid from AD but from idrange:
>
> uid=1392001107([email protected])
>
> Also I have tried to switch off id mapping in sssd.conf with
ldap_id_mapping = true in sssd.conf but no luck.
This has no effect, in IPA-AD trust scenario, the id mapping
properties
are managed on the server.
>
> I know, that it is probably better to use ID views for this, but
in our case we need to set centrally managed environment, where
all users information are externally inserted to AD from HR system
- included POSIX attributes and we need IPA to read them from AD.
I think idviews are better for overriding POSIX attributes for a
specific set of hosts, but in your environment, it sounds like you
want
to use the POSIX attributes across the board.
>
> So my questions are:
>
> Is it possible to read user's POSIX attributes directly from AD
- namely uid ?
Yes
> Which atributes can be stored in AD ?
Homedir is a bit special, for backwards compatibility the
subdomains_homedir takes precedence. The others should be read
from AD.
I don't have the environment set at the moment, though, so I'm
operating
purely from memory.
> Am I doing something wrong ?
>
> my sssd.conf:
> [domain/a.example.tt]
> debug_level = 5
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = a.example.tt
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = ipa1.a.example.tt
> chpass_provider = ipa
> ipa_server = ipa1.a.example.tt
> ipa_server_mode = True
> ldap_tls_cacert = /etc/ipa/ca.crt
> #ldap_id_mapping = true
> #subdomain_inherit = ldap_user_principal
> #ldap_user_principal = nosuchattribute
>
> [sssd]
> services = nss, sudo, pam, ssh
> config_file_version = 2
>
> domains = a.example.tt
> [nss]
> debug_level = 5
> homedir_substring = /home
> enum_cache_timeout = 2
> entry_negative_timeout = 2
>
>
> [pam]
> debug_level = 5
> [sudo]
>
> [autofs]
>
> [ssh]
> debug_level = 4
> [pac]
>
> debug_level = 4
> [ifp]
>
> Thanks,
> Jan
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
