Re: [Freeipa-users] AD Trust LDAP Compat mode w/ RHEL5/AIX

2015-05-13 Thread Gould, Joshua
I have default_domain_suffix = example.com in my [sssd] section of
sssd.conf. On RHEL6/7 systems, I’m able to login or issue any other
command without the suffix. Is it safe to assume it works the same in
RHEL5? I also tried with domain in all lower case and all upper case as
well.

On 5/13/15, 9:16 AM, Martin Kosek mko...@redhat.com wrote:

On 05/12/2015 10:48 PM, Gould, Joshua wrote:
 Hopefully I¹m missing something simple.
 
 For an IPA user:
 $ ldapsearch -x ³((uid=ipa_user)(objectclass=posixAccount))² -b
 dc=ipa,dc=example,dc=com
 
 This returns a match.
 
 For an AD user:
 $ ldapsearch -x ³((uid=ad_user)(objectclass=posixAccount))² -b
 cn=compat,dc=ipa,dc=example,dc=com
 
 Does not return any matches.
 
 I verified that all my IPA servers have the compatibility plugin
enabled.
 
 # ipa-compat-manage status
 Directory Manager password:
 
 Plugin Enabled
 #

I may be asking the obvious, but ad_user is fully qualified, right? I.e.
adu...@my.ad.domain.test?

Testing the log in on the server system as Dmitri advised is also a good
test
to make.

 
 
 On 5/12/15, 2:14 PM, Alexander Bokovoy aboko...@redhat.com wrote:
 
 Can you configure SSSD on RHEL5 clients? A simple LDAP provider with a
 base cn=compat,dc=ipa,dc=example,dc=com.

 Simple ldapsearch needs to include proper filter, like what SSSD or
 nss_ldap are using. slapi-nis is programmed to specifically respond to
 their queries, not to any request over compat tree.

 If you want to check from the command line, use a filter like

 ((uid=AD_user)(objectclass=posixaccount))


 -- 
 / Alexander Bokovoy
 
 
[((uid=goul09)(objectclass=posixAccount))][cn=accounts,dc=unix,dc=osumc,
dc
 =edu]

 
 
 



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AD Trust LDAP Compat mode w/ RHEL5/AIX

2015-05-13 Thread Gould, Joshua
I can login to a RHEL6/7 server as an IPA user and SU to an AD user and it
works fine. I can also login directly as an AD user as well.

For my RHEL5 system, I can login as a IPA user but can not su - or login
as a AD user. 

-sh-3.2$ su - ad_user
su: user goul09 does not exist


As I mentioned before, queries to the compat part of the tree do not
return any matches either.

On my RHEL6 client, I saw this, which indicates there’s a different
approach used.

(Tue May 12 12:10:10 2015) [sssd[be[unix.osumc.edu]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[((sAMAccountName=ad_user)(objectclass=user)(sAMAccountName=*)(objectSID=*
))][dc=example,dc=com].


On 5/12/15, 5:24 PM, Dmitri Pal d...@redhat.com wrote:

On 05/12/2015 04:48 PM, Gould, Joshua wrote:
Hopefully I¹m missing something simple.

For an IPA user:
$ ldapsearch -x ³((uid=ipa_user)(objectclass=posixAccount))² -b
dc=ipa,dc=example,dc=com

This returns a match.

For an AD user:
$ ldapsearch -x ³((uid=ad_user)(objectclass=posixAccount))² -b
cn=compat,dc=ipa,dc=example,dc=com

Does not return any matches.

I verified that all my IPA servers have the compatibility plugin enabled.

# ipa-compat-manage status
Directory Manager password:

Plugin Enabled
#


Can you log into a server as an IPA user and then su to an AD user with
authentication?
If that works it means that trust is actually working. I would start
with confirming that part.
If we know that the trust is actually working we can move to debugging
the compat-plugin. If it is not working we would know why nothing is
showing up in the tree.
Looking at SSSD trace on IPA server that corresponds to the time when
you run the LDAP search might shed some light on what is going on.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AD Trust LDAP Compat mode w/ RHEL5/AIX

2015-05-13 Thread Martin Kosek
On 05/12/2015 10:48 PM, Gould, Joshua wrote:
 Hopefully I¹m missing something simple.
 
 For an IPA user:
 $ ldapsearch -x ³((uid=ipa_user)(objectclass=posixAccount))² -b
 dc=ipa,dc=example,dc=com
 
 This returns a match.
 
 For an AD user:
 $ ldapsearch -x ³((uid=ad_user)(objectclass=posixAccount))² -b
 cn=compat,dc=ipa,dc=example,dc=com
 
 Does not return any matches.
 
 I verified that all my IPA servers have the compatibility plugin enabled.
 
 # ipa-compat-manage status
 Directory Manager password:
 
 Plugin Enabled
 #

I may be asking the obvious, but ad_user is fully qualified, right? I.e.
adu...@my.ad.domain.test?

Testing the log in on the server system as Dmitri advised is also a good test
to make.

 
 
 On 5/12/15, 2:14 PM, Alexander Bokovoy aboko...@redhat.com wrote:
 
 Can you configure SSSD on RHEL5 clients? A simple LDAP provider with a
 base cn=compat,dc=ipa,dc=example,dc=com.

 Simple ldapsearch needs to include proper filter, like what SSSD or
 nss_ldap are using. slapi-nis is programmed to specifically respond to
 their queries, not to any request over compat tree.

 If you want to check from the command line, use a filter like

 ((uid=AD_user)(objectclass=posixaccount))


 -- 
 / Alexander Bokovoy
 
 [((uid=goul09)(objectclass=posixAccount))][cn=accounts,dc=unix,dc=osumc,dc
 =edu]

 
 
 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] AD Trust LDAP Compat mode w/ RHEL5/AIX

2015-05-13 Thread Alexander Bokovoy

On Wed, 13 May 2015, Gould, Joshua wrote:

I can login to a RHEL6/7 server as an IPA user and SU to an AD user and it
works fine. I can also login directly as an AD user as well.

For my RHEL5 system, I can login as a IPA user but can not su - or login
as a AD user.

-sh-3.2$ su - ad_user
su: user goul09 does not exist

Have you actually read the definitive guide we have?
http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf, linked
from http://www.freeipa.org/page/Documentation

It looks like you have missed it, given your answers and attempts to use
non-fully qualified user names.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] AD Trust LDAP Compat mode w/ RHEL5/AIX

2015-05-13 Thread Dmitri Pal
On 05/13/2015 09:24 AM, Gould, Joshua wrote:
 I have default_domain_suffix = example.com in my [sssd] section of
 sssd.conf. On RHEL6/7 systems, I’m able to login or issue any other
 command without the suffix. Is it safe to assume it works the same in
 RHEL5? I also tried with domain in all lower case and all upper case as
 well.
I think you have to use fully qualified names with legacy versions
against compat tree.
Can you try a FQ name from RHEL5?

 On 5/13/15, 9:16 AM, Martin Kosek mko...@redhat.com wrote:

 On 05/12/2015 10:48 PM, Gould, Joshua wrote:
 Hopefully I¹m missing something simple.

 For an IPA user:
 $ ldapsearch -x ³((uid=ipa_user)(objectclass=posixAccount))² -b
 dc=ipa,dc=example,dc=com

 This returns a match.

 For an AD user:
 $ ldapsearch -x ³((uid=ad_user)(objectclass=posixAccount))² -b
 cn=compat,dc=ipa,dc=example,dc=com

 Does not return any matches.

 I verified that all my IPA servers have the compatibility plugin
 enabled.

 # ipa-compat-manage status
 Directory Manager password:

 Plugin Enabled
 #
 I may be asking the obvious, but ad_user is fully qualified, right? I.e.
 adu...@my.ad.domain.test?

 Testing the log in on the server system as Dmitri advised is also a good
 test
 to make.


 On 5/12/15, 2:14 PM, Alexander Bokovoy aboko...@redhat.com wrote:

 Can you configure SSSD on RHEL5 clients? A simple LDAP provider with a
 base cn=compat,dc=ipa,dc=example,dc=com.

 Simple ldapsearch needs to include proper filter, like what SSSD or
 nss_ldap are using. slapi-nis is programmed to specifically respond to
 their queries, not to any request over compat tree.

 If you want to check from the command line, use a filter like

 ((uid=AD_user)(objectclass=posixaccount))


 -- 
 / Alexander Bokovoy

 [((uid=goul09)(objectclass=posixAccount))][cn=accounts,dc=unix,dc=osumc,
 dc
 =edu]





-- 
Thank you,
Dmitri Pal

Director of Engineering for IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AD Trust LDAP Compat mode w/ RHEL5/AIX

2015-05-13 Thread Gould, Joshua
Thank you. I had originally went with the RH documentation. I followed the
guide and was able to get my RHEL5 client working. AIX6 is closer to
working as well.

On 5/13/15, 9:31 AM, Alexander Bokovoy aboko...@redhat.com wrote:

Have you actually read the definitive guide we have?
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.freeipa.org_images
_0_0d_FreeIPA33-2Dlegacy-2Dclients.pdfd=AwIFAgc=k9MF1d71ITtkuJx-PdWme51d
KbmfPEvxwt8SFEkBfs4r=C8H0y1Bn8C6Mf5i9qrqkUDy3xSk8zPbIs_SvJwojC24m=axYK-L
XpDnB6taF3q8whBGDW0q7jDMqS2Wv5kOEFsKks=BnxBd_Jlajh36QyW5WUwRx66b0wQsahXds
0jLtMUgFAe= , linked
from 
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.freeipa.org_page_D
ocumentationd=AwIFAgc=k9MF1d71ITtkuJx-PdWme51dKbmfPEvxwt8SFEkBfs4r=C8H0
y1Bn8C6Mf5i9qrqkUDy3xSk8zPbIs_SvJwojC24m=axYK-LXpDnB6taF3q8whBGDW0q7jDMqS
2Wv5kOEFsKks=uxaGUOkBbxd11-Nx8G2bGLeRCHdDmsc2Oc6CwUf7q5ce=

It looks like you have missed it, given your answers and attempts to use
non-fully qualified user names.



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] AD Trust LDAP Compat mode w/ RHEL5/AIX

2015-05-12 Thread Gould, Joshua
Hopefully I¹m missing something simple.

For an IPA user:
$ ldapsearch -x ³((uid=ipa_user)(objectclass=posixAccount))² -b
dc=ipa,dc=example,dc=com

This returns a match.

For an AD user:
$ ldapsearch -x ³((uid=ad_user)(objectclass=posixAccount))² -b
cn=compat,dc=ipa,dc=example,dc=com

Does not return any matches.

I verified that all my IPA servers have the compatibility plugin enabled.

# ipa-compat-manage status
Directory Manager password:

Plugin Enabled
#


On 5/12/15, 2:14 PM, Alexander Bokovoy aboko...@redhat.com wrote:

Can you configure SSSD on RHEL5 clients? A simple LDAP provider with a
base cn=compat,dc=ipa,dc=example,dc=com.

Simple ldapsearch needs to include proper filter, like what SSSD or
nss_ldap are using. slapi-nis is programmed to specifically respond to
their queries, not to any request over compat tree.

If you want to check from the command line, use a filter like

 ((uid=AD_user)(objectclass=posixaccount))


-- 
/ Alexander Bokovoy

[((uid=goul09)(objectclass=posixAccount))][cn=accounts,dc=unix,dc=osumc,dc
=edu]




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] AD Trust LDAP Compat mode w/ RHEL5/AIX

2015-05-12 Thread Dmitri Pal

On 05/12/2015 04:48 PM, Gould, Joshua wrote:

Hopefully I¹m missing something simple.

For an IPA user:
$ ldapsearch -x ³((uid=ipa_user)(objectclass=posixAccount))² -b
dc=ipa,dc=example,dc=com

This returns a match.

For an AD user:
$ ldapsearch -x ³((uid=ad_user)(objectclass=posixAccount))² -b
cn=compat,dc=ipa,dc=example,dc=com

Does not return any matches.

I verified that all my IPA servers have the compatibility plugin enabled.

# ipa-compat-manage status
Directory Manager password:

Plugin Enabled
#



Can you log into a server as an IPA user and then su to an AD user with 
authentication?
If that works it means that trust is actually working. I would start 
with confirming that part.
If we know that the trust is actually working we can move to debugging 
the compat-plugin. If it is not working we would know why nothing is 
showing up in the tree.
Looking at SSSD trace on IPA server that corresponds to the time when 
you run the LDAP search might shed some light on what is going on.




On 5/12/15, 2:14 PM, Alexander Bokovoy aboko...@redhat.com wrote:


Can you configure SSSD on RHEL5 clients? A simple LDAP provider with a
base cn=compat,dc=ipa,dc=example,dc=com.

Simple ldapsearch needs to include proper filter, like what SSSD or
nss_ldap are using. slapi-nis is programmed to specifically respond to
their queries, not to any request over compat tree.

If you want to check from the command line, use a filter like

((uid=AD_user)(objectclass=posixaccount))


--
/ Alexander Bokovoy

[((uid=goul09)(objectclass=posixAccount))][cn=accounts,dc=unix,dc=osumc,dc
=edu]





--
Thank you,
Dmitri Pal

Director of Engineering for IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] AD Trust LDAP Compat mode w/ RHEL5/AIX

2015-05-12 Thread Alexander Bokovoy

On Tue, 12 May 2015, Gould, Joshua wrote:

We’re using IPA Server 4.1.0-18. We have a trust between IPA and AD
with SID mapping. In our setup, AD would be example.com and IPA would
be say ipa.example.com.

I’m having some issues configuring both RHEL5 and AIX to work with the
compat tree. In both cases, kerberos works with IPA and AD users but
LDAP only works with IPA users and not AD users.

Should AD users be returned if I search uid=AD_user under
cn=users,cn=compat,dc=ipa,dc=example,dc=com? Is this where my RHEL5 and
AIX clients should be searching? I’m not getting any matches and I’ve
verified that the compat plugin is enabled on our servers. I need a
little more to go on as far as if I’m looking in the wrong sub-tree or
going about this the wrong way.

Can you configure SSSD on RHEL5 clients? A simple LDAP provider with a
base cn=compat,dc=ipa,dc=example,dc=com.

Simple ldapsearch needs to include proper filter, like what SSSD or
nss_ldap are using. slapi-nis is programmed to specifically respond to
their queries, not to any request over compat tree.

If you want to check from the command line, use a filter like

((uid=AD_user)(objectclass=posixaccount))


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project