On ke, 22 helmi 2017, Jason B. Nance wrote:
For example, for user that would be (&(objectClass=posixAccount)(uid=%s))
where %s is ad_u...@server.com according to your example.

This is what would be intercepted and queried through SSSD.

For example:

$ ldapsearch -Y GSSAPI -b cn=compat,dc=xs,dc=ipa,dc=cool
SASL/GSSAPI authentication started
SASL username: ad...@xs.ipa.cool
SASL data security layer installed.
# extended LDIF
# LDAPv3
# base <cn=compat,dc=xs,dc=ipa,dc=cool> with scope subtree
# filter: (&(objectClass=posixAccount)(uid=u...@ad.ipa.cool))
# requesting: ALL

# u...@ad.ipa.cool, users, compat, xs.ipa.cool
dn: uid=u...@ad.ipa.cool,cn=users,cn=compat,dc=xs,dc=ipa,dc=cool
objectClass: ipaOverrideTarget
objectClass: posixAccount
objectClass: top
cn: YO!
gidNumber: 967001113
gecos: YO!
ipaAnchorUUID:: <some base64 value>
uidNumber: 967001113
loginShell: /bin/bash
homeDirectory: /home/ad.ipa.cool/user
uid: u...@ad.ipa.cool

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1

I'm not able to recreate this (on FreeIPA 4.4.0).  "ipa-compat-manage
status" says "Plugin Enabled", but searches for AD users yield no
Sorry, I forgot mention yesterday that if you didn't use
'ipa-adtrust-install --enable-compat' then one thing is missing from
compat tree configuration to allow resolution of AD users. Luckily, it
is a simple ldapadd that can fix it. You can use ipa-ldap-updater:

# cat 80-enable-compat-nsswitch.update dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
add:schema-compat-lookup-nsswitch: user

dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
add:schema-compat-lookup-nsswitch: group
# ipa-ldap-updater ./80-enable-compat-nsswitch.update
and then restart 389-ds.

As a side note, I'm also not able to use GSSAPI auth as you did:

$ kinit
Password for jna...@lab.gen.zone:
$ ldapsearch -Y GSSAPI -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone 
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
I used IPA user, not AD user to bind with GSSAPI.

In FreeIPA 4.4 it should also work with AD user as well but only if the
user has ID override entry, even empty one:

# ipa idoverrideuser-add 'Default Trust View' administra...@ad.ipa.cool

and now administra...@ad.ipa.cool will be able to issue ldap searches
against IPA LDAP server from Linux machines. Note that ldp.exe will
still be unable to perform searches against IPA LDAP until
https://github.com/cyrusimap/cyrus-sasl/pull/424 is released in a

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to