Thanks a lot Alexander
Strange, I am almost sure I got no results earlier if I used uid=**
searches
Users are perfectly found now both fully-qualified and wither other
queries.
Honestly, it's a bit a missing feature (for my use cases!) that RFC2307bis
draft 02 presentation is missing for AD users,
on the other side it is a very nice accomplishment that both RFC2307 in
compat and RFC2307bis in cn=accounts are available in FreeIPA.
Its a perfect platform for Linux and suitable for UnixBecause IMO LDAP
always has been a bit too complicated for system auth ;-)
$ ldapsearch -Y GSSAPI -b cn=compat,dc=accnix,dc=infrabel,dc=be
'(&(objectClass=posixAccount)(uid=*mcj*))'
SASL/GSSAPI authentication started
SASL username: ad...@accnix.infrabel.be
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (&(objectClass=posixAccount)(uid=*mcj*))
# requesting: ALL
#
# mcj7...@accmsnet.railb.be, users, compat, accnix.infrabel.be
dn: uid=mcj7...@accmsnet.railb.be
,cn=users,cn=compat,dc=accnix,dc=infrabel,dc=
be
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
gecos: x
cn: x
uidNumber: x
gidNumber: x
homeDirectory: /home/Accmsnet.railb.be/mcj7700
ipaAnchorUUID:: x
uid: mcj7...@accmsnet.railb.be
Thx a lot!
-- Pieter
On Wed, Jul 4, 2018 at 7:22 AM Alexander Bokovoy
wrote:
> On ke, 04 heinä 2018, Pieter Baele via FreeIPA-users wrote:
> >Hi,
> >
> >On a test FreeIPA environment (4.5.0-22), a user is shown using the id
> >command, so ID Override is working as well.
> >id x...@accmsnet.railb.be
> >uid=8028(x...@accmsnet.railb.be) gid=4030(ucc)
> >groups=4030(ucc),702800513(domain us...@accmsnet.railb.be
> >),131849(ad_users)
> >
> >However this particular (AD) user is not shown using an ldapsearch in the
> >compat
> >ldapsearch -Y GSSAPI -b cn=compat,dc=accnix,dc=infrabel,dc=be
> >'(&(objectClass=posixAccount)(uid=))'
> >
> ># extended LDIF
> >#
> ># LDAPv3
> ># base with scope subtree
> ># filter: (&(objectClass=posixAccount)(uid=mcj7700))
> Here uid is non-fully qualified. A trigger in the compat tree plugin is
> built around using fully qualified user names for AD users, e.g.
> (uid=mcj...@accmsnet.railb.be).
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/IJGUGRQN5UF3EHIJCNR4IPH3CT7T3RIW/
