On ti, 21 helmi 2017, Hanoz Elavia wrote:
Hello,

I've got the FreeIPA server with AD trust (Server 2008 R2) setup and
running. I can login successfully on linux clients using AD credentials.
I'm now trying to setup my Isilon storage appliance with mixed mode file
sharing.

The filer has joined the AD so it provides Windows users access to the
files. However, being a legacy client, it uses simple bind to query ldap
for uid and gid. I was able to setup FreeIPA as the ldap server but it
doesn't seem to return the uid and gid for AD objects.

The query my storage is using is as follows:

ldapsearch -x -W -z 10 -H ldap://ipa.server.com -b
'cn=compat,dc=ipa,dc=server,dc=com' -D
'uid=binduser,cn=users,cn=accounts,dc=ipa,dc=server,dc=com'
'(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=nisNetgroup)(objectClass=person))'

The following command will obtain all the IDs for the native FreeIPA users
/ groups but don't return any results for AD users. Is there a way to get
this done? I can't install any clients on the Isilon as it uses a BSD based
proprietary software. I can manually map FreeIPA assigned uids / gids but
that's tedious and error prone. Any help would be appreciated.
There is none. Compat tree is built with RFC2307 queries in mind.
RFC2307 clients issue a request with a specific user or group name and
that triggers lookup of AD user/group through SSSD and insertion into
the compat tree. A part of the trigger is how LDAP filter is built (see
RFC for those). If your software does not use the same filter, you
wouldn't get a response.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to