On ke, 22 helmi 2017, Hanoz Elavia wrote:
Hey Alexander,
So based on the RFC 2307 documentation, I built a test server and ran the
following command:
ldapsearch -x -W -H 'ldap://ipa.server.com' -b
'cn=compat,dc=ipa,dc=server,dc=com' -D
'uid=admin,cn=users,cn=accounts,dc=ipa,dc=server,dc=com' -s sub 'uid=
ad_u...@server.com'
It worked as expected. Then once I rebooted the test server it stopped
working. Any idea which service might be failing ?
As I said, these are dynamic entries. You should use proper queries.
I mentioned RFC2307, use section 5.2 to get proper queries.
For example, for user that would be (&(objectClass=posixAccount)(uid=%s))
where %s is ad_u...@server.com according to your example.
This is what would be intercepted and queried through SSSD.
For example:
$ ldapsearch -Y GSSAPI -b cn=compat,dc=xs,dc=ipa,dc=cool
'(&(objectClass=posixAccount)(uid=u...@ad.ipa.cool))'
SASL/GSSAPI authentication started
SASL username: ad...@xs.ipa.cool
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=xs,dc=ipa,dc=cool> with scope subtree
# filter: (&(objectClass=posixAccount)(uid=u...@ad.ipa.cool))
# requesting: ALL
#
# u...@ad.ipa.cool, users, compat, xs.ipa.cool
dn: uid=u...@ad.ipa.cool,cn=users,cn=compat,dc=xs,dc=ipa,dc=cool
objectClass: ipaOverrideTarget
objectClass: posixAccount
objectClass: top
cn: YO!
gidNumber: 967001113
gecos: YO!
ipaAnchorUUID:: <some base64 value>
uidNumber: 967001113
loginShell: /bin/bash
homeDirectory: /home/ad.ipa.cool/user
uid: u...@ad.ipa.cool
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
Regards,
Hanoz
On Wed, Feb 22, 2017 at 8:40 AM, Hanoz Elavia <h.ela...@atomiccartoons.com>
wrote:
Hey Alex,
Thanks, I ran ipa-compat-manage status and it shows Plugin enabled. I'll
have a look at the link and see if we can change the query to obtain the
info required.
Regards,
Hanoz
*Hanoz Elavia |* IT Manager
*O:* 604-734-2866 *|* *www.atomiccartoons.com
<http://www.atomiccartoons.com>*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6
On Wed, Feb 22, 2017 at 8:34 AM, Alexander Bokovoy <aboko...@redhat.com>
wrote:
On ke, 22 helmi 2017, Hanoz Elavia wrote:
Thanks Alex,
Does it also means that I'll have to install the FreeIPA server with
--enable-compat ? I didn't do that.
check ipa-compat-manage tool.
Regards,
Hanoz
*Hanoz Elavia |* IT Manager
*O:* 604-734-2866 *|* *www.atomiccartoons.com
<http://www.atomiccartoons.com>*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6
On Wed, Feb 22, 2017 at 7:22 AM, Alexander Bokovoy <aboko...@redhat.com>
wrote:
On ke, 22 helmi 2017, Hanoz Elavia wrote:
Hey Alex,
Thanks for the link, isn't RFC 2307 implemented as Services for Unix in
Windows 2008 R2? Apologies for not mentioning this earlier but I
haven't
enabled that mainly because SSSD now maps the IDs. Also, in the newer
version of the Windows Server, SFU seems to have been discontinued.
I think you are confused by the names. What Compat tree provides is an
interface on IPA side to look up identities of AD users and groups over
LDAP. Compat tree will do lookup through SSSD on your behalf. This means
we don't depend on how Windows side provides or does not provide
attributes.
Everything SSSD can resolve, can be returned, be it stored in AD LDAP,
generated by SSSD, or stored in ID overrides in IPA.
But the query format is the one described in RFC 2307 because this is
what all nss implementations like nss_ldap or similar ones use in
UNIX-like environments. Windows Server is merely implementing the same
LDAP schema to allow interoperability with the same clients. Think of
Compat Tree in IPA as doing the same, just dynamically.
--
/ Alexander Bokovoy
--
/ Alexander Bokovoy
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
