FQDN's are not required for systems using the compat tree when using domain resolution
order, but it's not clear if you have it on or not. With that said, I've never
tried to drop the domain off users when using the compat tree and id views without domain
resolution order enabled. In theory, an idview might help, but you would need to
experiment with it by creating user overrides, overriding the names and such, seeing what
it looks like in the compat tree when trying to do a query or performing a login; I no
longer have the equipment to help test this. But it sounds like something you could easily
test out.
Slightly unrelated, at my last job, we used the compat tree with domain resolution order
turned on. We had some sudo issues at some point with domain resolution order turned on
starting at SRU 11.4.20.4.0, that the only suitable workaround was to create an idview and
just point the clients to it (without making any overrides). This may be of interest to
you.
This is from my notes:
* Domain Resolution Order turned on
* Compat tree enabled (this is the cn=compat,$SUFFIX part of the tree)
* An idview was created with NO overrides (really, no overrides made)
* ldapclient on solaris was pointed to the view
# Create a view... no id overrides required here
% ipa idview-add solaris
# On Solaris...
# Take EXTREME care with the group and passwd base DN's, they need to point
# to the view properly
# This example uses kerberos to authenticate.
% ldapclient manual -a authenticationMethod=self \
-a credentialLevel=sasl/GSSAPI \
-a defaultSearchBase=dc=ipa,dc=example,dc=com \
-a
domainName=ipa.example.com \
-a
defaultServerList="server1.angelsofclockwork.net
server2.angelsofclockwork.net" \
-a followReferrals=true \
-a objectClassMap=shadow:shadowAccount=posixAccount \
-a objectClassMap=passwd:posixAccount=posixaccount \
-a objectClassMap=group:posixGroup=posixgroup \
-a
serviceSearchDescriptor=group:cn=groups,cn=solaris,cn=views,cn=compat,dc=angelsofclockwork,dc=net
\
-a
serviceSearchDescriptor=passwd:cn=users,cn=solaris,cn=views,cn=compat,dc=angelsofclockwork,dc=net
\
-a
serviceSearchDescriptor=netgroup:cn=ng,cn=compat,dc=ipa,dc=example,dc=com \
-a
serviceSearchDescriptor=ethers:cn=computers,cn=accounts,dc=ipa,dc=example,dc=com \
-a serviceSearchDescriptor=sudoers:ou=sudoers,dc=ipa,dc=example,dc=com
\
-a bindTimeLimit=5
# Make sure you set your props...
% /usr/sbin/svccfg -s name-service/switch setprop config/sudoer = astring: "files
ldap"
% /usr/sbin/svccfg -s name-service/switch setprop config/password = astring: "files
ldap [NOTFOUND=return]"
% /usr/sbin/svccfg -s name-service/switch setprop config/group = astring: "files ldap
[NOTFOUND=return]"
% /usr/sbin/svcadm refresh svc:/system/name-service/switch
% /usr/sbin/svcadm restart svc:/system/name-service/switch
% /usr/sbin/svcadm restart ldap/client
# Verify...
% ldaplist -l passwd adusername
. . .
% id -a adusername
. . .