On to, 23 helmi 2017, Hanoz Elavia wrote:

My FreeIPA clients and server are setup to use the AD domain as the
default. This is done using the default_domain_suffix parameter in the sssd
section of the sssd.conf file.

This works fine for users when we use ldapsearch but not so much for
groups. For e.g.:

ldapsearch -x -W -s sub -H 'ldap://ipa.server.com' -b
'cn=compat,dc=ipa,dc=server,dc=com' -D
'uid=binduser,cn=users,cn=accounts,dc=ipa,dc=server,dc=com' '(cn=

works fine but

ldapsearch -x -W -s sub -H 'ldap://ipa.server.com' -b
'cn=compat,dc=ipa,dc=server,dc=com' -D

won't work. However, the above will work fine for users. I'm using the
No, compat tree is designed to be used with fully-qualified groups and
users. There is no way around it.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to