Re: [Freeipa-users] AD Trust LDAP Compat mode w/ RHEL5/AIX
I have default_domain_suffix = example.com in my [sssd] section of sssd.conf. On RHEL6/7 systems, I’m able to login or issue any other command without the suffix. Is it safe to assume it works the same in RHEL5? I also tried with domain in all lower case and all upper case as well. On 5/13/15, 9:16 AM, Martin Kosek mko...@redhat.com wrote: On 05/12/2015 10:48 PM, Gould, Joshua wrote: Hopefully I¹m missing something simple. For an IPA user: $ ldapsearch -x ³((uid=ipa_user)(objectclass=posixAccount))² -b dc=ipa,dc=example,dc=com This returns a match. For an AD user: $ ldapsearch -x ³((uid=ad_user)(objectclass=posixAccount))² -b cn=compat,dc=ipa,dc=example,dc=com Does not return any matches. I verified that all my IPA servers have the compatibility plugin enabled. # ipa-compat-manage status Directory Manager password: Plugin Enabled # I may be asking the obvious, but ad_user is fully qualified, right? I.e. adu...@my.ad.domain.test? Testing the log in on the server system as Dmitri advised is also a good test to make. On 5/12/15, 2:14 PM, Alexander Bokovoy aboko...@redhat.com wrote: Can you configure SSSD on RHEL5 clients? A simple LDAP provider with a base cn=compat,dc=ipa,dc=example,dc=com. Simple ldapsearch needs to include proper filter, like what SSSD or nss_ldap are using. slapi-nis is programmed to specifically respond to their queries, not to any request over compat tree. If you want to check from the command line, use a filter like ((uid=AD_user)(objectclass=posixaccount)) -- / Alexander Bokovoy [((uid=goul09)(objectclass=posixAccount))][cn=accounts,dc=unix,dc=osumc, dc =edu] -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] AD Trust LDAP Compat mode w/ RHEL5/AIX
I can login to a RHEL6/7 server as an IPA user and SU to an AD user and it works fine. I can also login directly as an AD user as well. For my RHEL5 system, I can login as a IPA user but can not su - or login as a AD user. -sh-3.2$ su - ad_user su: user goul09 does not exist As I mentioned before, queries to the compat part of the tree do not return any matches either. On my RHEL6 client, I saw this, which indicates there’s a different approach used. (Tue May 12 12:10:10 2015) [sssd[be[unix.osumc.edu]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((sAMAccountName=ad_user)(objectclass=user)(sAMAccountName=*)(objectSID=* ))][dc=example,dc=com]. On 5/12/15, 5:24 PM, Dmitri Pal d...@redhat.com wrote: On 05/12/2015 04:48 PM, Gould, Joshua wrote: Hopefully I¹m missing something simple. For an IPA user: $ ldapsearch -x ³((uid=ipa_user)(objectclass=posixAccount))² -b dc=ipa,dc=example,dc=com This returns a match. For an AD user: $ ldapsearch -x ³((uid=ad_user)(objectclass=posixAccount))² -b cn=compat,dc=ipa,dc=example,dc=com Does not return any matches. I verified that all my IPA servers have the compatibility plugin enabled. # ipa-compat-manage status Directory Manager password: Plugin Enabled # Can you log into a server as an IPA user and then su to an AD user with authentication? If that works it means that trust is actually working. I would start with confirming that part. If we know that the trust is actually working we can move to debugging the compat-plugin. If it is not working we would know why nothing is showing up in the tree. Looking at SSSD trace on IPA server that corresponds to the time when you run the LDAP search might shed some light on what is going on. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] AD Trust LDAP Compat mode w/ RHEL5/AIX
On 05/12/2015 10:48 PM, Gould, Joshua wrote: Hopefully I¹m missing something simple. For an IPA user: $ ldapsearch -x ³((uid=ipa_user)(objectclass=posixAccount))² -b dc=ipa,dc=example,dc=com This returns a match. For an AD user: $ ldapsearch -x ³((uid=ad_user)(objectclass=posixAccount))² -b cn=compat,dc=ipa,dc=example,dc=com Does not return any matches. I verified that all my IPA servers have the compatibility plugin enabled. # ipa-compat-manage status Directory Manager password: Plugin Enabled # I may be asking the obvious, but ad_user is fully qualified, right? I.e. adu...@my.ad.domain.test? Testing the log in on the server system as Dmitri advised is also a good test to make. On 5/12/15, 2:14 PM, Alexander Bokovoy aboko...@redhat.com wrote: Can you configure SSSD on RHEL5 clients? A simple LDAP provider with a base cn=compat,dc=ipa,dc=example,dc=com. Simple ldapsearch needs to include proper filter, like what SSSD or nss_ldap are using. slapi-nis is programmed to specifically respond to their queries, not to any request over compat tree. If you want to check from the command line, use a filter like ((uid=AD_user)(objectclass=posixaccount)) -- / Alexander Bokovoy [((uid=goul09)(objectclass=posixAccount))][cn=accounts,dc=unix,dc=osumc,dc =edu] -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] AD Trust LDAP Compat mode w/ RHEL5/AIX
On Wed, 13 May 2015, Gould, Joshua wrote: I can login to a RHEL6/7 server as an IPA user and SU to an AD user and it works fine. I can also login directly as an AD user as well. For my RHEL5 system, I can login as a IPA user but can not su - or login as a AD user. -sh-3.2$ su - ad_user su: user goul09 does not exist Have you actually read the definitive guide we have? http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf, linked from http://www.freeipa.org/page/Documentation It looks like you have missed it, given your answers and attempts to use non-fully qualified user names. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] AD Trust LDAP Compat mode w/ RHEL5/AIX
On 05/13/2015 09:24 AM, Gould, Joshua wrote: I have default_domain_suffix = example.com in my [sssd] section of sssd.conf. On RHEL6/7 systems, I’m able to login or issue any other command without the suffix. Is it safe to assume it works the same in RHEL5? I also tried with domain in all lower case and all upper case as well. I think you have to use fully qualified names with legacy versions against compat tree. Can you try a FQ name from RHEL5? On 5/13/15, 9:16 AM, Martin Kosek mko...@redhat.com wrote: On 05/12/2015 10:48 PM, Gould, Joshua wrote: Hopefully I¹m missing something simple. For an IPA user: $ ldapsearch -x ³((uid=ipa_user)(objectclass=posixAccount))² -b dc=ipa,dc=example,dc=com This returns a match. For an AD user: $ ldapsearch -x ³((uid=ad_user)(objectclass=posixAccount))² -b cn=compat,dc=ipa,dc=example,dc=com Does not return any matches. I verified that all my IPA servers have the compatibility plugin enabled. # ipa-compat-manage status Directory Manager password: Plugin Enabled # I may be asking the obvious, but ad_user is fully qualified, right? I.e. adu...@my.ad.domain.test? Testing the log in on the server system as Dmitri advised is also a good test to make. On 5/12/15, 2:14 PM, Alexander Bokovoy aboko...@redhat.com wrote: Can you configure SSSD on RHEL5 clients? A simple LDAP provider with a base cn=compat,dc=ipa,dc=example,dc=com. Simple ldapsearch needs to include proper filter, like what SSSD or nss_ldap are using. slapi-nis is programmed to specifically respond to their queries, not to any request over compat tree. If you want to check from the command line, use a filter like ((uid=AD_user)(objectclass=posixaccount)) -- / Alexander Bokovoy [((uid=goul09)(objectclass=posixAccount))][cn=accounts,dc=unix,dc=osumc, dc =edu] -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] AD Trust LDAP Compat mode w/ RHEL5/AIX
Thank you. I had originally went with the RH documentation. I followed the guide and was able to get my RHEL5 client working. AIX6 is closer to working as well. On 5/13/15, 9:31 AM, Alexander Bokovoy aboko...@redhat.com wrote: Have you actually read the definitive guide we have? https://urldefense.proofpoint.com/v2/url?u=http-3A__www.freeipa.org_images _0_0d_FreeIPA33-2Dlegacy-2Dclients.pdfd=AwIFAgc=k9MF1d71ITtkuJx-PdWme51d KbmfPEvxwt8SFEkBfs4r=C8H0y1Bn8C6Mf5i9qrqkUDy3xSk8zPbIs_SvJwojC24m=axYK-L XpDnB6taF3q8whBGDW0q7jDMqS2Wv5kOEFsKks=BnxBd_Jlajh36QyW5WUwRx66b0wQsahXds 0jLtMUgFAe= , linked from https://urldefense.proofpoint.com/v2/url?u=http-3A__www.freeipa.org_page_D ocumentationd=AwIFAgc=k9MF1d71ITtkuJx-PdWme51dKbmfPEvxwt8SFEkBfs4r=C8H0 y1Bn8C6Mf5i9qrqkUDy3xSk8zPbIs_SvJwojC24m=axYK-LXpDnB6taF3q8whBGDW0q7jDMqS 2Wv5kOEFsKks=uxaGUOkBbxd11-Nx8G2bGLeRCHdDmsc2Oc6CwUf7q5ce= It looks like you have missed it, given your answers and attempts to use non-fully qualified user names. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] AD Trust LDAP Compat mode w/ RHEL5/AIX
Hopefully I¹m missing something simple. For an IPA user: $ ldapsearch -x ³((uid=ipa_user)(objectclass=posixAccount))² -b dc=ipa,dc=example,dc=com This returns a match. For an AD user: $ ldapsearch -x ³((uid=ad_user)(objectclass=posixAccount))² -b cn=compat,dc=ipa,dc=example,dc=com Does not return any matches. I verified that all my IPA servers have the compatibility plugin enabled. # ipa-compat-manage status Directory Manager password: Plugin Enabled # On 5/12/15, 2:14 PM, Alexander Bokovoy aboko...@redhat.com wrote: Can you configure SSSD on RHEL5 clients? A simple LDAP provider with a base cn=compat,dc=ipa,dc=example,dc=com. Simple ldapsearch needs to include proper filter, like what SSSD or nss_ldap are using. slapi-nis is programmed to specifically respond to their queries, not to any request over compat tree. If you want to check from the command line, use a filter like ((uid=AD_user)(objectclass=posixaccount)) -- / Alexander Bokovoy [((uid=goul09)(objectclass=posixAccount))][cn=accounts,dc=unix,dc=osumc,dc =edu] -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] AD Trust LDAP Compat mode w/ RHEL5/AIX
On 05/12/2015 04:48 PM, Gould, Joshua wrote: Hopefully I¹m missing something simple. For an IPA user: $ ldapsearch -x ³((uid=ipa_user)(objectclass=posixAccount))² -b dc=ipa,dc=example,dc=com This returns a match. For an AD user: $ ldapsearch -x ³((uid=ad_user)(objectclass=posixAccount))² -b cn=compat,dc=ipa,dc=example,dc=com Does not return any matches. I verified that all my IPA servers have the compatibility plugin enabled. # ipa-compat-manage status Directory Manager password: Plugin Enabled # Can you log into a server as an IPA user and then su to an AD user with authentication? If that works it means that trust is actually working. I would start with confirming that part. If we know that the trust is actually working we can move to debugging the compat-plugin. If it is not working we would know why nothing is showing up in the tree. Looking at SSSD trace on IPA server that corresponds to the time when you run the LDAP search might shed some light on what is going on. On 5/12/15, 2:14 PM, Alexander Bokovoy aboko...@redhat.com wrote: Can you configure SSSD on RHEL5 clients? A simple LDAP provider with a base cn=compat,dc=ipa,dc=example,dc=com. Simple ldapsearch needs to include proper filter, like what SSSD or nss_ldap are using. slapi-nis is programmed to specifically respond to their queries, not to any request over compat tree. If you want to check from the command line, use a filter like ((uid=AD_user)(objectclass=posixaccount)) -- / Alexander Bokovoy [((uid=goul09)(objectclass=posixAccount))][cn=accounts,dc=unix,dc=osumc,dc =edu] -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] AD Trust LDAP Compat mode w/ RHEL5/AIX
On Tue, 12 May 2015, Gould, Joshua wrote: We’re using IPA Server 4.1.0-18. We have a trust between IPA and AD with SID mapping. In our setup, AD would be example.com and IPA would be say ipa.example.com. I’m having some issues configuring both RHEL5 and AIX to work with the compat tree. In both cases, kerberos works with IPA and AD users but LDAP only works with IPA users and not AD users. Should AD users be returned if I search uid=AD_user under cn=users,cn=compat,dc=ipa,dc=example,dc=com? Is this where my RHEL5 and AIX clients should be searching? I’m not getting any matches and I’ve verified that the compat plugin is enabled on our servers. I need a little more to go on as far as if I’m looking in the wrong sub-tree or going about this the wrong way. Can you configure SSSD on RHEL5 clients? A simple LDAP provider with a base cn=compat,dc=ipa,dc=example,dc=com. Simple ldapsearch needs to include proper filter, like what SSSD or nss_ldap are using. slapi-nis is programmed to specifically respond to their queries, not to any request over compat tree. If you want to check from the command line, use a filter like ((uid=AD_user)(objectclass=posixaccount)) -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project