Hello,
My issue is on the rhel6 servers: sssd there is 1.13.3, so
multi-domain isn't available... Which is a bummer for me because we have 1000+ rhel6
servers and this is going to be a pain to have sometimes longnames, sometimes shortnames.
Has anyone work around this already? I considered my options:
- Try to use sssd proxy
- Try sss_override
- Write a plugin for sssd to search to IPA's idoverride and return a match
- Sob in front of an IPA at a pub :)
We have a similar set-up (mixed environment) and requirements; all of
our users are AD users, and our administrative accounts are IDM users
(less than 10).
How many IDM-only users (*nix users in this case) are there? If
you're not worried about them needing to use a full domain login
(longname), then you could use the following configuration within your
sssd.conf file:
[sssd]
services = nss, sudo, pam, ssh
domains = IDM-DOMAIN
full_name_format = %1$s
domain_resolution_order = AD-DOMAIN,IDM-DOMAIN
default_domain_suffix = AD-DOMAIN
This allows our AD users to continue logging in with a shortname; a
seamless transition for them. But, our IDM-only users (*nix users for
you) will have to login with the full longname, i.e.
user(a)your.ipa.domain; those users can be queried initially via `getent
passwd user(a)your.ipa.domain` or `groups user(a)your.ipa.domain`, and
once in the cache the "shortname" format can be used. And, because
we're using the "full_name_format = %1$s", there is only a shortname
with file listings, etc.
As a side note, we upgraded from IPAv3 to IPAv4 with an AD trust, and
originally all IDM users were copies of AD users. This is why the
configuration described above works best for us. The bulk of our
users had a seamless transition, and only our administrators had to
use the longname format post-upgrade on EL6 nodes. There are a few
other oddities with work-arounds required on EL6 for IDM-only users,
but for the most part the upgrade had no issues.
HTH,
John DeSantis
Il giorno mer 11 dic 2019 alle ore 04:30 S Toulmonde via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> ha scritto:
>
> Hello all!
>
> I'm migration our old LDAP infra to IPA 4.6.5 (rhel 7) with an external trust to
Windows. Previously, all users were their shortname because we replicated AD users to
LDAP.
> Most users reside in AD, but we have *nix-only users in LDAP. Everything seems fine
for rhel7+ because sssd can do multi-domain search and thus allow me to use shortname
instead of user+domain.
>
My issue is on the rhel6 servers: sssd there is 1.13.3, so
multi-domain isn't available... Which is a bummer for me because we have 1000+ rhel6
servers and this is going to be a pain to have sometimes longnames, sometimes shortnames.
Has anyone work around this already? I considered my options:
- Try to use sssd proxy
- Try sss_override
- Write a plugin for sssd to search to IPA's idoverride and return a match
- Sob in front of an IPA at a pub :)
>
> Thanks for your inputs!
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...