Hey Alexander, So based on the RFC 2307 documentation, I built a test server and ran the following command:
ldapsearch -x -W -H 'ldap://ipa.server.com' -b 'cn=compat,dc=ipa,dc=server,dc=com' -D 'uid=admin,cn=users,cn=accounts,dc=ipa,dc=server,dc=com' -s sub 'uid= ad_u...@server.com' It worked as expected. Then once I rebooted the test server it stopped working. Any idea which service might be failing ? Regards, Hanoz On Wed, Feb 22, 2017 at 8:40 AM, Hanoz Elavia <h.ela...@atomiccartoons.com> wrote: > Hey Alex, > > Thanks, I ran ipa-compat-manage status and it shows Plugin enabled. I'll > have a look at the link and see if we can change the query to obtain the > info required. > > Regards, > > Hanoz > > > *Hanoz Elavia |* IT Manager > *O:* 604-734-2866 *|* *www.atomiccartoons.com > <http://www.atomiccartoons.com>* > 112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6 > > On Wed, Feb 22, 2017 at 8:34 AM, Alexander Bokovoy <aboko...@redhat.com> > wrote: > >> On ke, 22 helmi 2017, Hanoz Elavia wrote: >> >>> Thanks Alex, >>> >>> Does it also means that I'll have to install the FreeIPA server with >>> --enable-compat ? I didn't do that. >>> >> >> check ipa-compat-manage tool. >> >> >>> Regards, >>> >>> Hanoz >>> >>> >>> *Hanoz Elavia |* IT Manager >>> *O:* 604-734-2866 *|* *www.atomiccartoons.com >>> <http://www.atomiccartoons.com>* >>> 112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6 >>> >>> On Wed, Feb 22, 2017 at 7:22 AM, Alexander Bokovoy <aboko...@redhat.com> >>> wrote: >>> >>> On ke, 22 helmi 2017, Hanoz Elavia wrote: >>>> >>>> Hey Alex, >>>>> >>>>> Thanks for the link, isn't RFC 2307 implemented as Services for Unix in >>>>> Windows 2008 R2? Apologies for not mentioning this earlier but I >>>>> haven't >>>>> enabled that mainly because SSSD now maps the IDs. Also, in the newer >>>>> version of the Windows Server, SFU seems to have been discontinued. >>>>> >>>>> I think you are confused by the names. What Compat tree provides is an >>>> interface on IPA side to look up identities of AD users and groups over >>>> LDAP. Compat tree will do lookup through SSSD on your behalf. This means >>>> we don't depend on how Windows side provides or does not provide >>>> attributes. >>>> Everything SSSD can resolve, can be returned, be it stored in AD LDAP, >>>> generated by SSSD, or stored in ID overrides in IPA. >>>> >>>> But the query format is the one described in RFC 2307 because this is >>>> what all nss implementations like nss_ldap or similar ones use in >>>> UNIX-like environments. Windows Server is merely implementing the same >>>> LDAP schema to allow interoperability with the same clients. Think of >>>> Compat Tree in IPA as doing the same, just dynamically. >>>> >>>> >>>> -- >>>> / Alexander Bokovoy >>>> >>>> >> -- >> / Alexander Bokovoy >> > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project