> For example, for user that would be (&(objectClass=posixAccount)(uid=%s))
> where %s is ad_u...@server.com according to your example.
> 
> This is what would be intercepted and queried through SSSD.
> 
> For example:
> 
> $ ldapsearch -Y GSSAPI -b cn=compat,dc=xs,dc=ipa,dc=cool
> '(&(objectClass=posixAccount)(uid=u...@ad.ipa.cool))'
> SASL/GSSAPI authentication started
> SASL username: ad...@xs.ipa.cool
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <cn=compat,dc=xs,dc=ipa,dc=cool> with scope subtree
> # filter: (&(objectClass=posixAccount)(uid=u...@ad.ipa.cool))
> # requesting: ALL
> #
> 
> # u...@ad.ipa.cool, users, compat, xs.ipa.cool
> dn: uid=u...@ad.ipa.cool,cn=users,cn=compat,dc=xs,dc=ipa,dc=cool
> objectClass: ipaOverrideTarget
> objectClass: posixAccount
> objectClass: top
> cn: YO!
> gidNumber: 967001113
> gecos: YO!
> ipaAnchorUUID:: <some base64 value>
> uidNumber: 967001113
> loginShell: /bin/bash
> homeDirectory: /home/ad.ipa.cool/user
> uid: u...@ad.ipa.cool
> 
> # search result
> search: 4
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1

I'm not able to recreate this (on FreeIPA 4.4.0).  "ipa-compat-manage status" 
says "Plugin Enabled", but searches for AD users yield no results:

$ ldapsearch -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone 
'(&(objectClass=posixAccount)(uid=jna...@lab.gen.zone))' -W -x -D 'cn=Directory 
Manager'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone> with scope subtree
# filter: (&(objectClass=posixAccount)(uid=jna...@lab.gen.zone))
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1


I'm currently logged into the machine with an AD account from a trust:

[jna...@lab.gen.zone@sl2aospljmp0001 ~]$ whoami
jna...@lab.gen.zone
[jna...@lab.gen.zone@sl2aospljmp0001 ~]$ id
uid=21104(jna...@lab.gen.zone) gid=21104(jna...@lab.gen.zone) 
groups=21104(jna...@lab.gen.zone),10009(lgz-lxusers),10011(lxeng),20512(domain 
adm...@lab.gen.zone),20513(domain 
us...@lab.gen.zone),21112(lxus...@lab.gen.zone),21117(lab_adm...@lab.gen.zone) 
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023


If I search for a user that is local to IPA it works:

$ ldapsearch -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone 
'(&(objectClass=posixAccount)(uid=jnance-ipa))' -W -x -D 'cn=Directory Manager' 
-H 'ldaps://sl2mmgplidm0001.ipa.lab.gen.zone'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone> with scope subtree
# filter: (&(objectClass=posixAccount)(uid=jnance-ipa))
# requesting: ALL
#

# jnance-ipa, users, compat, ipa.lab.gen.zone
dn: uid=jnance-ipa,cn=users,cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone
cn: Jason Nance
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
gidNumber: 10008
gecos: Jason Nance
ipaAnchorUUID:: OklQQTppcGEubGFiLmdlbi56b25lOmQxYzU0NGI2LWU5YjktMTFlNi1iNWM1LT
 AwNTA1NjkxMGE0NA==
uidNumber: 10008
loginShell: /bin/bash
homeDirectory: /home/jnance-ipa
uid: jnance-ipa

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


As a side note, I'm also not able to use GSSAPI auth as you did:

$ kinit
Password for jna...@lab.gen.zone:
$ ldapsearch -Y GSSAPI -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone 
'(&(objectClass=posixAccount)(uid=jna...@lab.gen.zone))'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to