Hi,
On a test FreeIPA environment (4.5.0-22), a user is shown using the id command, so ID Override is working as well. id xxxx@accmsnet.railb.be uid=8028(xxx@Accmsnet.railb.be) gid=4030(ucc) groups=4030(ucc),702800513(domain users@Accmsnet.railb.be ),1318400009(ad_users)
However this particular (AD) user is not shown using an ldapsearch in the compat ldapsearch -Y GSSAPI -b cn=compat,dc=accnix,dc=infrabel,dc=be '(&(objectClass=posixAccount)(uid=xxxx))'
# extended LDIF # # LDAPv3 # base <cn=compat,dc=accnix,dc=infrabel,dc=be> with scope subtree # filter: (&(objectClass=posixAccount)(uid=mcj7700)) # requesting: ALL #
# search result search: 4 result: 0 Success
Any idea? This is not happening in our production environment. I cleared caches, did enable slapi-compat, and even tried adding the resolution by an ldif to be sure I did also re-run ipa-adtrust-install
I really don't understand why the AD users are not visible in LDAP....
Sincerely Pieter
On ke, 04 heinä 2018, Pieter Baele via FreeIPA-users wrote:
Hi,
On a test FreeIPA environment (4.5.0-22), a user is shown using the id command, so ID Override is working as well. id xxxx@accmsnet.railb.be uid=8028(xxx@Accmsnet.railb.be) gid=4030(ucc) groups=4030(ucc),702800513(domain users@Accmsnet.railb.be ),1318400009(ad_users)
However this particular (AD) user is not shown using an ldapsearch in the compat ldapsearch -Y GSSAPI -b cn=compat,dc=accnix,dc=infrabel,dc=be '(&(objectClass=posixAccount)(uid=xxxx))'
# extended LDIF # # LDAPv3 # base <cn=compat,dc=accnix,dc=infrabel,dc=be> with scope subtree # filter: (&(objectClass=posixAccount)(uid=mcj7700))
Here uid is non-fully qualified. A trigger in the compat tree plugin is built around using fully qualified user names for AD users, e.g. (uid=mcj770@accmsnet.railb.be).
Thanks a lot Alexander
Strange, I am almost sure I got no results earlier if I used uid=*xxxx* searches Users are perfectly found now.... both fully-qualified and wither other queries.
Honestly, it's a bit a missing feature (for my use cases!) that RFC2307bis draft 02 presentation is missing for AD users, on the other side it is a very nice accomplishment that both RFC2307 in compat and RFC2307bis in cn=accounts are available in FreeIPA. Its a perfect platform for Linux and suitable for Unix....Because IMO LDAP always has been a bit too complicated for system auth ;-)
$ ldapsearch -Y GSSAPI -b cn=compat,dc=accnix,dc=infrabel,dc=be '(&(objectClass=posixAccount)(uid=*mcj*))' SASL/GSSAPI authentication started SASL username: admin@ACCNIX.INFRABEL.BE SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <cn=compat,dc=accnix,dc=infrabel,dc=be> with scope subtree # filter: (&(objectClass=posixAccount)(uid=*mcj*)) # requesting: ALL #
# mcj7700@accmsnet.railb.be, users, compat, accnix.infrabel.be dn: uid=mcj7700@accmsnet.railb.be ,cn=users,cn=compat,dc=accnix,dc=infrabel,dc= be objectClass: posixAccount objectClass: ipaOverrideTarget objectClass: top gecos: x cn: x uidNumber: x gidNumber: x homeDirectory: /home/Accmsnet.railb.be/mcj7700 ipaAnchorUUID:: x uid: mcj7700@accmsnet.railb.be
Thx a lot! -- Pieter
On Wed, Jul 4, 2018 at 7:22 AM Alexander Bokovoy abokovoy@redhat.com wrote:
On ke, 04 heinä 2018, Pieter Baele via FreeIPA-users wrote:
Hi,
On a test FreeIPA environment (4.5.0-22), a user is shown using the id command, so ID Override is working as well. id xxxx@accmsnet.railb.be uid=8028(xxx@Accmsnet.railb.be) gid=4030(ucc) groups=4030(ucc),702800513(domain users@Accmsnet.railb.be ),1318400009(ad_users)
However this particular (AD) user is not shown using an ldapsearch in the compat ldapsearch -Y GSSAPI -b cn=compat,dc=accnix,dc=infrabel,dc=be '(&(objectClass=posixAccount)(uid=xxxx))'
# extended LDIF # # LDAPv3 # base <cn=compat,dc=accnix,dc=infrabel,dc=be> with scope subtree # filter: (&(objectClass=posixAccount)(uid=mcj7700))
Here uid is non-fully qualified. A trigger in the compat tree plugin is built around using fully qualified user names for AD users, e.g. (uid=mcj770@accmsnet.railb.be).
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
freeipa-users@lists.fedorahosted.org