Thanks Alexander, I have rebuilt the server with compatibility and I can now query AD users. I'll just have to confirm with Dell / EMC whether the Isilon can now handle this.
Regards, Hanoz On Wed, Feb 22, 2017 at 10:26 PM, Alexander Bokovoy <[email protected]> wrote: > On ke, 22 helmi 2017, Jason B. Nance wrote: > >> For example, for user that would be (&(objectClass=posixAccount)(uid=%s)) >>> where %s is [email protected] according to your example. >>> >>> This is what would be intercepted and queried through SSSD. >>> >>> For example: >>> >>> $ ldapsearch -Y GSSAPI -b cn=compat,dc=xs,dc=ipa,dc=cool >>> '(&(objectClass=posixAccount)([email protected]))' >>> SASL/GSSAPI authentication started >>> SASL username: [email protected] >>> SASL SSF: 56 >>> SASL data security layer installed. >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base <cn=compat,dc=xs,dc=ipa,dc=cool> with scope subtree >>> # filter: (&(objectClass=posixAccount)([email protected])) >>> # requesting: ALL >>> # >>> >>> # [email protected], users, compat, xs.ipa.cool >>> dn: [email protected],cn=users,cn=compat,dc=xs,dc=ipa,dc=cool >>> objectClass: ipaOverrideTarget >>> objectClass: posixAccount >>> objectClass: top >>> cn: YO! >>> gidNumber: 967001113 >>> gecos: YO! >>> ipaAnchorUUID:: <some base64 value> >>> uidNumber: 967001113 >>> loginShell: /bin/bash >>> homeDirectory: /home/ad.ipa.cool/user >>> uid: [email protected] >>> >>> # search result >>> search: 4 >>> result: 0 Success >>> >>> # numResponses: 2 >>> # numEntries: 1 >>> >> >> I'm not able to recreate this (on FreeIPA 4.4.0). "ipa-compat-manage >> status" says "Plugin Enabled", but searches for AD users yield no >> results: >> > Sorry, I forgot mention yesterday that if you didn't use > 'ipa-adtrust-install --enable-compat' then one thing is missing from > compat tree configuration to allow resolution of AD users. Luckily, it > is a simple ldapadd that can fix it. You can use ipa-ldap-updater: > > > # cat 80-enable-compat-nsswitch.update dn: cn=users,cn=Schema > Compatibility,cn=plugins,cn=config > add:schema-compat-lookup-nsswitch: user > > dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config > add:schema-compat-lookup-nsswitch: group > # ipa-ldap-updater ./80-enable-compat-nsswitch.update > and then restart 389-ds. > > As a side note, I'm also not able to use GSSAPI auth as you did: >> >> $ kinit >> Password for [email protected]: >> $ ldapsearch -Y GSSAPI -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone >> '(&(objectClass=posixAccount)([email protected]))' >> SASL/GSSAPI authentication started >> ldap_sasl_interactive_bind_s: Invalid credentials (49) >> > I used IPA user, not AD user to bind with GSSAPI. > > In FreeIPA 4.4 it should also work with AD user as well but only if the > user has ID override entry, even empty one: > > # ipa idoverrideuser-add 'Default Trust View' [email protected] > > and now [email protected] will be able to issue ldap searches > against IPA LDAP server from Linux machines. Note that ldp.exe will > still be unable to perform searches against IPA LDAP until > https://github.com/cyrusimap/cyrus-sasl/pull/424 is released in a > distribution. > > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
