Thanks Alex,

Does it also means that I'll have to install the FreeIPA server with
--enable-compat ? I didn't do that.



*Hanoz Elavia |*  IT Manager
*O:* 604-734-2866 *|*  *
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6

On Wed, Feb 22, 2017 at 7:22 AM, Alexander Bokovoy <>

> On ke, 22 helmi 2017, Hanoz Elavia wrote:
>> Hey Alex,
>> Thanks for the link, isn't RFC 2307 implemented as Services for Unix in
>> Windows 2008 R2? Apologies for not mentioning this earlier but I haven't
>> enabled that mainly because SSSD now maps the IDs. Also, in the newer
>> version of the Windows Server, SFU seems to have been discontinued.
> I think you are confused by the names. What Compat tree provides is an
> interface on IPA side to look up identities of AD users and groups over
> LDAP. Compat tree will do lookup through SSSD on your behalf. This means
> we don't depend on how Windows side provides or does not provide
> attributes.
> Everything SSSD can resolve, can be returned, be it stored in AD LDAP,
> generated by SSSD, or stored in ID overrides in IPA.
> But the query format is the one described in RFC 2307 because this is
> what all nss implementations like nss_ldap or similar ones use in
> UNIX-like environments. Windows Server is merely implementing the same
> LDAP schema to allow interoperability with the same clients. Think of
> Compat Tree in IPA as doing the same, just dynamically.
> --
> / Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to