You can do this by enabling the compat tree in FreeIPA. I believe this will involve you having to run ipa-adtrust-install --enable-compat on all IPA servers that are involved either being a trust controller or trust agent. You'll essentially have these trees after that you can use:
Groups: cn=groups,cn=compat,dc=ipa,dc=example,dc=com Users; cn=users,cn=compat,dc=ipa,dc=example,dc=com What will happen is all IPA users and groups will show up immediately, but the AD users/groups won't until they are asked for (eg from a simple ldapsearch or otherwise), which should (hopefully) be sufficient. In my previous cases of having to use the compat tree, it was for legacy clients (eg BSD, Solaris/OmniOS/Illumos, and RHEL 5). _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
