Re: [Freeipa-users] ldapsearch for AD users

2017-02-23 Thread Hanoz Elavia
Thanks Alexander, I have rebuilt the server with compatibility and I can now query AD users. I'll just have to confirm with Dell / EMC whether the Isilon can now handle this. Regards, Hanoz On Wed, Feb 22, 2017 at 10:26 PM, Alexander Bokovoy wrote: > On ke, 22 helmi

Re: [Freeipa-users] ldapsearch for AD users

2017-02-22 Thread Alexander Bokovoy
On ke, 22 helmi 2017, Jason B. Nance wrote: For example, for user that would be (&(objectClass=posixAccount)(uid=%s)) where %s is ad_u...@server.com according to your example. This is what would be intercepted and queried through SSSD. For example: $ ldapsearch -Y GSSAPI -b

Re: [Freeipa-users] ldapsearch for AD users

2017-02-22 Thread Hanoz Elavia
Hey Jason, I am not sure about that. I just rebuilt my IPA server since it's only purpose is to authenticate users with the AD. As for the clients, I removed them from the FreeIPA server using ipa-client-install --uninstall and rebooted. Once they rebooted my saltstack state added them back to

Re: [Freeipa-users] ldapsearch for AD users

2017-02-22 Thread Jason B. Nance
> I realized I had made one more change. I setup the FreeIPA server again and > this > time I added the --enable-compat with my /usr/sbin/ipa-adtrust-install > command. Is it safe to re-run ipa-adtrust-install? I have existing trusts in place. Thanks, j -- Manage your subscription for the

Re: [Freeipa-users] ldapsearch for AD users

2017-02-22 Thread Hanoz Elavia
Hey Jason, Also, my bind DN is a native FreeIPA user and doesn't exist on the Active Directory. Regards, Hanoz *Hanoz Elavia |* IT Manager *O:* 604-734-2866 *|* *www.atomiccartoons.com * 112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6 On Wed, Feb 22, 2017 at

Re: [Freeipa-users] ldapsearch for AD users

2017-02-22 Thread Hanoz Elavia
Hey Jason, I realized I had made one more change. I setup the FreeIPA server again and this time I added the --enable-compat with my /usr/sbin/ipa-adtrust-install command. Yes, I cannot use GSSAPI as well. I use simple bind to run a LDAP query. On IPA clients I don't need to authenticate as IPA

Re: [Freeipa-users] ldapsearch for AD users

2017-02-22 Thread Jason B. Nance
> For example, for user that would be (&(objectClass=posixAccount)(uid=%s)) > where %s is ad_u...@server.com according to your example. > > This is what would be intercepted and queried through SSSD. > > For example: > > $ ldapsearch -Y GSSAPI -b cn=compat,dc=xs,dc=ipa,dc=cool >

Re: [Freeipa-users] ldapsearch for AD users

2017-02-22 Thread Alexander Bokovoy
On ke, 22 helmi 2017, Hanoz Elavia wrote: Hey Alexander, So based on the RFC 2307 documentation, I built a test server and ran the following command: ldapsearch -x -W -H 'ldap://ipa.server.com' -b 'cn=compat,dc=ipa,dc=server,dc=com' -D 'uid=admin,cn=users,cn=accounts,dc=ipa,dc=server,dc=com'

Re: [Freeipa-users] ldapsearch for AD users

2017-02-22 Thread Hanoz Elavia
Hey Alexander, So based on the RFC 2307 documentation, I built a test server and ran the following command: ldapsearch -x -W -H 'ldap://ipa.server.com' -b 'cn=compat,dc=ipa,dc=server,dc=com' -D 'uid=admin,cn=users,cn=accounts,dc=ipa,dc=server,dc=com' -s sub 'uid= ad_u...@server.com' It worked

Re: [Freeipa-users] ldapsearch for AD users

2017-02-22 Thread Hanoz Elavia
Hey Alex, Thanks, I ran ipa-compat-manage status and it shows Plugin enabled. I'll have a look at the link and see if we can change the query to obtain the info required. Regards, Hanoz *Hanoz Elavia |* IT Manager *O:* 604-734-2866 *|* *www.atomiccartoons.com

Re: [Freeipa-users] ldapsearch for AD users

2017-02-22 Thread Alexander Bokovoy
On ke, 22 helmi 2017, Hanoz Elavia wrote: Thanks Alex, Does it also means that I'll have to install the FreeIPA server with --enable-compat ? I didn't do that. check ipa-compat-manage tool. Regards, Hanoz *Hanoz Elavia |* IT Manager *O:* 604-734-2866 *|* *www.atomiccartoons.com

Re: [Freeipa-users] ldapsearch for AD users

2017-02-22 Thread Hanoz Elavia
Thanks Alex, Does it also means that I'll have to install the FreeIPA server with --enable-compat ? I didn't do that. Regards, Hanoz *Hanoz Elavia |* IT Manager *O:* 604-734-2866 *|* *www.atomiccartoons.com * 112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6 On

Re: [Freeipa-users] ldapsearch for AD users

2017-02-22 Thread Alexander Bokovoy
On ke, 22 helmi 2017, Hanoz Elavia wrote: Hey Alex, Thanks for the link, isn't RFC 2307 implemented as Services for Unix in Windows 2008 R2? Apologies for not mentioning this earlier but I haven't enabled that mainly because SSSD now maps the IDs. Also, in the newer version of the Windows

Re: [Freeipa-users] ldapsearch for AD users

2017-02-22 Thread Hanoz Elavia
Hey Alex, Thanks for the link, isn't RFC 2307 implemented as Services for Unix in Windows 2008 R2? Apologies for not mentioning this earlier but I haven't enabled that mainly because SSSD now maps the IDs. Also, in the newer version of the Windows Server, SFU seems to have been discontinued.

Re: [Freeipa-users] ldapsearch for AD users

2017-02-22 Thread Hanoz Elavia
Thanks guys, I think there might be a way to modify the LDAP query. I'm speaking to the EMC / Dell support personnel today to see what can be done. Regards, Hanoz *Hanoz Elavia |* IT Manager *O:* 604-734-2866 *|* *www.atomiccartoons.com * 112 West 6th Ave,

Re: [Freeipa-users] ldapsearch for AD users

2017-02-22 Thread Alexander Bokovoy
On ke, 22 helmi 2017, Jason B. Nance wrote: There is none. Compat tree is built with RFC2307 queries in mind. RFC2307 clients issue a request with a specific user or group name and that triggers lookup of AD user/group through SSSD and insertion into the compat tree. A part of the trigger is how

Re: [Freeipa-users] ldapsearch for AD users

2017-02-22 Thread Jason B. Nance
> There is none. Compat tree is built with RFC2307 queries in mind. > RFC2307 clients issue a request with a specific user or group name and > that triggers lookup of AD user/group through SSSD and insertion into > the compat tree. A part of the trigger is how LDAP filter is built (see > RFC for

Re: [Freeipa-users] ldapsearch for AD users

2017-02-21 Thread Alexander Bokovoy
On ti, 21 helmi 2017, Hanoz Elavia wrote: Hello, I've got the FreeIPA server with AD trust (Server 2008 R2) setup and running. I can login successfully on linux clients using AD credentials. I'm now trying to setup my Isilon storage appliance with mixed mode file sharing. The filer has joined

Re: [Freeipa-users] ldapsearch for AD users

2017-02-21 Thread Martin Babinsky
On 02/21/2017 09:10 PM, Hanoz Elavia wrote: Hello, I've got the FreeIPA server with AD trust (Server 2008 R2) setup and running. I can login successfully on linux clients using AD credentials. I'm now trying to setup my Isilon storage appliance with mixed mode file sharing. The filer has

[Freeipa-users] ldapsearch for AD users

2017-02-21 Thread Hanoz Elavia
Hello, I've got the FreeIPA server with AD trust (Server 2008 R2) setup and running. I can login successfully on linux clients using AD credentials. I'm now trying to setup my Isilon storage appliance with mixed mode file sharing. The filer has joined the AD so it provides Windows users access