Hey Jason, I realized I had made one more change. I setup the FreeIPA server again and this time I added the --enable-compat with my /usr/sbin/ipa-adtrust-install command.
Yes, I cannot use GSSAPI as well. I use simple bind to run a LDAP query. On IPA clients I don't need to authenticate as IPA takes care of that. Hope this helps. Regards, Hanoz *Hanoz Elavia |* IT Manager *O:* 604-734-2866 *|* *www.atomiccartoons.com <http://www.atomiccartoons.com>* 112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6 On Wed, Feb 22, 2017 at 1:50 PM, Jason B. Nance <[email protected]> wrote: > > For example, for user that would be (&(objectClass=posixAccount)( > uid=%s)) > > where %s is [email protected] according to your example. > > > > This is what would be intercepted and queried through SSSD. > > > > For example: > > > > $ ldapsearch -Y GSSAPI -b cn=compat,dc=xs,dc=ipa,dc=cool > > '(&(objectClass=posixAccount)([email protected]))' > > SASL/GSSAPI authentication started > > SASL username: [email protected] > > SASL SSF: 56 > > SASL data security layer installed. > > # extended LDIF > > # > > # LDAPv3 > > # base <cn=compat,dc=xs,dc=ipa,dc=cool> with scope subtree > > # filter: (&(objectClass=posixAccount)([email protected])) > > # requesting: ALL > > # > > > > # [email protected], users, compat, xs.ipa.cool > > dn: [email protected],cn=users,cn=compat,dc=xs,dc=ipa,dc=cool > > objectClass: ipaOverrideTarget > > objectClass: posixAccount > > objectClass: top > > cn: YO! > > gidNumber: 967001113 > > gecos: YO! > > ipaAnchorUUID:: <some base64 value> > > uidNumber: 967001113 > > loginShell: /bin/bash > > homeDirectory: /home/ad.ipa.cool/user > > uid: [email protected] > > > > # search result > > search: 4 > > result: 0 Success > > > > # numResponses: 2 > > # numEntries: 1 > > I'm not able to recreate this (on FreeIPA 4.4.0). "ipa-compat-manage > status" says "Plugin Enabled", but searches for AD users yield no results: > > $ ldapsearch -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone > '(&(objectClass=posixAccount)([email protected]))' -W -x -D > 'cn=Directory Manager' > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone> with scope subtree > # filter: (&(objectClass=posixAccount)([email protected])) > # requesting: ALL > # > > # search result > search: 2 > result: 0 Success > > # numResponses: 1 > > > I'm currently logged into the machine with an AD account from a trust: > > [[email protected]@sl2aospljmp0001 ~]$ whoami > [email protected] > [[email protected]@sl2aospljmp0001 ~]$ id > uid=21104([email protected]) gid=21104([email protected]) > groups=21104([email protected]),10009(lgz-lxusers),10011(lxeng),20512(domain > [email protected]),20513(domain [email protected]),21112( > [email protected]),21117([email protected]) context=unconfined_u: > unconfined_r:unconfined_t:s0-s0:c0.c1023 > > > If I search for a user that is local to IPA it works: > > $ ldapsearch -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone > '(&(objectClass=posixAccount)(uid=jnance-ipa))' -W -x -D 'cn=Directory > Manager' -H 'ldaps://sl2mmgplidm0001.ipa.lab.gen.zone' > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone> with scope subtree > # filter: (&(objectClass=posixAccount)(uid=jnance-ipa)) > # requesting: ALL > # > > # jnance-ipa, users, compat, ipa.lab.gen.zone > dn: uid=jnance-ipa,cn=users,cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone > cn: Jason Nance > objectClass: posixAccount > objectClass: ipaOverrideTarget > objectClass: top > gidNumber: 10008 > gecos: Jason Nance > ipaAnchorUUID:: OklQQTppcGEubGFiLmdlbi56b25lOm > QxYzU0NGI2LWU5YjktMTFlNi1iNWM1LT > AwNTA1NjkxMGE0NA== > uidNumber: 10008 > loginShell: /bin/bash > homeDirectory: /home/jnance-ipa > uid: jnance-ipa > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > > As a side note, I'm also not able to use GSSAPI auth as you did: > > $ kinit > Password for [email protected]: > $ ldapsearch -Y GSSAPI -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone > '(&(objectClass=posixAccount)([email protected]))' > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Invalid credentials (49) >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
