> For example, for user that would be (&(objectClass=posixAccount)(uid=%s)) > where %s is [email protected] according to your example. > > This is what would be intercepted and queried through SSSD. > > For example: > > $ ldapsearch -Y GSSAPI -b cn=compat,dc=xs,dc=ipa,dc=cool > '(&(objectClass=posixAccount)([email protected]))' > SASL/GSSAPI authentication started > SASL username: [email protected] > SASL SSF: 56 > SASL data security layer installed. > # extended LDIF > # > # LDAPv3 > # base <cn=compat,dc=xs,dc=ipa,dc=cool> with scope subtree > # filter: (&(objectClass=posixAccount)([email protected])) > # requesting: ALL > # > > # [email protected], users, compat, xs.ipa.cool > dn: [email protected],cn=users,cn=compat,dc=xs,dc=ipa,dc=cool > objectClass: ipaOverrideTarget > objectClass: posixAccount > objectClass: top > cn: YO! > gidNumber: 967001113 > gecos: YO! > ipaAnchorUUID:: <some base64 value> > uidNumber: 967001113 > loginShell: /bin/bash > homeDirectory: /home/ad.ipa.cool/user > uid: [email protected] > > # search result > search: 4 > result: 0 Success > > # numResponses: 2 > # numEntries: 1
I'm not able to recreate this (on FreeIPA 4.4.0). "ipa-compat-manage status" says "Plugin Enabled", but searches for AD users yield no results: $ ldapsearch -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone '(&(objectClass=posixAccount)([email protected]))' -W -x -D 'cn=Directory Manager' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone> with scope subtree # filter: (&(objectClass=posixAccount)([email protected])) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 I'm currently logged into the machine with an AD account from a trust: [[email protected]@sl2aospljmp0001 ~]$ whoami [email protected] [[email protected]@sl2aospljmp0001 ~]$ id uid=21104([email protected]) gid=21104([email protected]) groups=21104([email protected]),10009(lgz-lxusers),10011(lxeng),20512(domain [email protected]),20513(domain [email protected]),21112([email protected]),21117([email protected]) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 If I search for a user that is local to IPA it works: $ ldapsearch -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone '(&(objectClass=posixAccount)(uid=jnance-ipa))' -W -x -D 'cn=Directory Manager' -H 'ldaps://sl2mmgplidm0001.ipa.lab.gen.zone' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone> with scope subtree # filter: (&(objectClass=posixAccount)(uid=jnance-ipa)) # requesting: ALL # # jnance-ipa, users, compat, ipa.lab.gen.zone dn: uid=jnance-ipa,cn=users,cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone cn: Jason Nance objectClass: posixAccount objectClass: ipaOverrideTarget objectClass: top gidNumber: 10008 gecos: Jason Nance ipaAnchorUUID:: OklQQTppcGEubGFiLmdlbi56b25lOmQxYzU0NGI2LWU5YjktMTFlNi1iNWM1LT AwNTA1NjkxMGE0NA== uidNumber: 10008 loginShell: /bin/bash homeDirectory: /home/jnance-ipa uid: jnance-ipa # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 As a side note, I'm also not able to use GSSAPI auth as you did: $ kinit Password for [email protected]: $ ldapsearch -Y GSSAPI -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone '(&(objectClass=posixAccount)([email protected]))' SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
