On to, 23 helmi 2017, Hanoz Elavia wrote:
Hello,

My FreeIPA clients and server are setup to use the AD domain as the
default. This is done using the default_domain_suffix parameter in the sssd
section of the sssd.conf file.

This works fine for users when we use ldapsearch but not so much for
groups. For e.g.:

ldapsearch -x -W -s sub -H 'ldap://ipa.server.com' -b
'cn=compat,dc=ipa,dc=server,dc=com' -D
'uid=binduser,cn=users,cn=accounts,dc=ipa,dc=server,dc=com' '(cn=
domaingr...@server.com)'

works fine but

ldapsearch -x -W -s sub -H 'ldap://ipa.server.com' -b
'cn=compat,dc=ipa,dc=server,dc=com' -D
'uid=binduser,cn=users,cn=accounts,dc=ipa,dc=server,dc=com'
'(cn=domaingroup)'

won't work. However, the above will work fine for users. I'm using the
No, compat tree is designed to be used with fully-qualified groups and
users. There is no way around it.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to