Re: [Freeipa-users] Default domain for AD groups
Thanks Alexander!! On Fri, Feb 24, 2017 at 6:04 AM, Alexander Bokovoywrote: > On to, 23 helmi 2017, Hanoz Elavia wrote: > >> Hello, >> >> My FreeIPA clients and server are setup to use the AD domain as the >> default. This is done using the default_domain_suffix parameter in the >> sssd >> section of the sssd.conf file. >> >> This works fine for users when we use ldapsearch but not so much for >> groups. For e.g.: >> >> ldapsearch -x -W -s sub -H 'ldap://ipa.server.com' -b >> 'cn=compat,dc=ipa,dc=server,dc=com' -D >> 'uid=binduser,cn=users,cn=accounts,dc=ipa,dc=server,dc=com' '(cn= >> domaingr...@server.com)' >> >> works fine but >> >> ldapsearch -x -W -s sub -H 'ldap://ipa.server.com' -b >> 'cn=compat,dc=ipa,dc=server,dc=com' -D >> 'uid=binduser,cn=users,cn=accounts,dc=ipa,dc=server,dc=com' >> '(cn=domaingroup)' >> >> won't work. However, the above will work fine for users. I'm using the >> > No, compat tree is designed to be used with fully-qualified groups and > users. There is no way around it. > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Default domain for AD groups
On to, 23 helmi 2017, Hanoz Elavia wrote: Hello, My FreeIPA clients and server are setup to use the AD domain as the default. This is done using the default_domain_suffix parameter in the sssd section of the sssd.conf file. This works fine for users when we use ldapsearch but not so much for groups. For e.g.: ldapsearch -x -W -s sub -H 'ldap://ipa.server.com' -b 'cn=compat,dc=ipa,dc=server,dc=com' -D 'uid=binduser,cn=users,cn=accounts,dc=ipa,dc=server,dc=com' '(cn= domaingr...@server.com)' works fine but ldapsearch -x -W -s sub -H 'ldap://ipa.server.com' -b 'cn=compat,dc=ipa,dc=server,dc=com' -D 'uid=binduser,cn=users,cn=accounts,dc=ipa,dc=server,dc=com' '(cn=domaingroup)' won't work. However, the above will work fine for users. I'm using the No, compat tree is designed to be used with fully-qualified groups and users. There is no way around it. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Default domain for AD groups
Hello, My FreeIPA clients and server are setup to use the AD domain as the default. This is done using the default_domain_suffix parameter in the sssd section of the sssd.conf file. This works fine for users when we use ldapsearch but not so much for groups. For e.g.: ldapsearch -x -W -s sub -H 'ldap://ipa.server.com' -b 'cn=compat,dc=ipa,dc=server,dc=com' -D 'uid=binduser,cn=users,cn=accounts,dc=ipa,dc=server,dc=com' '(cn= domaingr...@server.com)' works fine but ldapsearch -x -W -s sub -H 'ldap://ipa.server.com' -b 'cn=compat,dc=ipa,dc=server,dc=com' -D 'uid=binduser,cn=users,cn=accounts,dc=ipa,dc=server,dc=com' '(cn=domaingroup)' won't work. However, the above will work fine for users. I'm using the following: AD: Windows 2008 R2 FreeIPA Server: 4.4.0-14 FreeIPA Client: 4.4.0-14 SSSD: 1.14.0-43 Linux version: CentOS 7.3 x64_86 The AD trust is setup with --enable-compat. Regards, Hanoz -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project