Hey Jason, Also, my bind DN is a native FreeIPA user and doesn't exist on the Active Directory.
Regards, Hanoz *Hanoz Elavia |* IT Manager *O:* 604-734-2866 *|* *www.atomiccartoons.com <http://www.atomiccartoons.com>* 112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6 On Wed, Feb 22, 2017 at 2:07 PM, Hanoz Elavia <[email protected]> wrote: > Hey Jason, > > I realized I had made one more change. I setup the FreeIPA server again > and this time I added the --enable-compat with my > /usr/sbin/ipa-adtrust-install command. > > Yes, I cannot use GSSAPI as well. I use simple bind to run a LDAP query. > On IPA clients I don't need to authenticate as IPA takes care of that. Hope > this helps. > > Regards, > > Hanoz > > > *Hanoz Elavia |* IT Manager > *O:* 604-734-2866 *|* *www.atomiccartoons.com > <http://www.atomiccartoons.com>* > 112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6 > > On Wed, Feb 22, 2017 at 1:50 PM, Jason B. Nance <[email protected]> > wrote: > >> > For example, for user that would be (&(objectClass=posixAccount)(u >> id=%s)) >> > where %s is [email protected] according to your example. >> > >> > This is what would be intercepted and queried through SSSD. >> > >> > For example: >> > >> > $ ldapsearch -Y GSSAPI -b cn=compat,dc=xs,dc=ipa,dc=cool >> > '(&(objectClass=posixAccount)([email protected]))' >> > SASL/GSSAPI authentication started >> > SASL username: [email protected] >> > SASL SSF: 56 >> > SASL data security layer installed. >> > # extended LDIF >> > # >> > # LDAPv3 >> > # base <cn=compat,dc=xs,dc=ipa,dc=cool> with scope subtree >> > # filter: (&(objectClass=posixAccount)([email protected])) >> > # requesting: ALL >> > # >> > >> > # [email protected], users, compat, xs.ipa.cool >> > dn: [email protected],cn=users,cn=compat,dc=xs,dc=ipa,dc=cool >> > objectClass: ipaOverrideTarget >> > objectClass: posixAccount >> > objectClass: top >> > cn: YO! >> > gidNumber: 967001113 >> > gecos: YO! >> > ipaAnchorUUID:: <some base64 value> >> > uidNumber: 967001113 >> > loginShell: /bin/bash >> > homeDirectory: /home/ad.ipa.cool/user >> > uid: [email protected] >> > >> > # search result >> > search: 4 >> > result: 0 Success >> > >> > # numResponses: 2 >> > # numEntries: 1 >> >> I'm not able to recreate this (on FreeIPA 4.4.0). "ipa-compat-manage >> status" says "Plugin Enabled", but searches for AD users yield no results: >> >> $ ldapsearch -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone >> '(&(objectClass=posixAccount)([email protected]))' -W -x -D >> 'cn=Directory Manager' >> Enter LDAP Password: >> # extended LDIF >> # >> # LDAPv3 >> # base <cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone> with scope subtree >> # filter: (&(objectClass=posixAccount)([email protected])) >> # requesting: ALL >> # >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 1 >> >> >> I'm currently logged into the machine with an AD account from a trust: >> >> [[email protected]@sl2aospljmp0001 ~]$ whoami >> [email protected] >> [[email protected]@sl2aospljmp0001 ~]$ id >> uid=21104([email protected]) gid=21104([email protected]) >> groups=21104([email protected]),10009(lgz-lxusers),10011(lxeng),20512(domain >> [email protected]),20513(domain [email protected]),21112(lxus >> [email protected]),21117([email protected]) >> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >> >> >> If I search for a user that is local to IPA it works: >> >> $ ldapsearch -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone >> '(&(objectClass=posixAccount)(uid=jnance-ipa))' -W -x -D 'cn=Directory >> Manager' -H 'ldaps://sl2mmgplidm0001.ipa.lab.gen.zone' >> Enter LDAP Password: >> # extended LDIF >> # >> # LDAPv3 >> # base <cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone> with scope subtree >> # filter: (&(objectClass=posixAccount)(uid=jnance-ipa)) >> # requesting: ALL >> # >> >> # jnance-ipa, users, compat, ipa.lab.gen.zone >> dn: uid=jnance-ipa,cn=users,cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone >> cn: Jason Nance >> objectClass: posixAccount >> objectClass: ipaOverrideTarget >> objectClass: top >> gidNumber: 10008 >> gecos: Jason Nance >> ipaAnchorUUID:: OklQQTppcGEubGFiLmdlbi56b25lOm >> QxYzU0NGI2LWU5YjktMTFlNi1iNWM1LT >> AwNTA1NjkxMGE0NA== >> uidNumber: 10008 >> loginShell: /bin/bash >> homeDirectory: /home/jnance-ipa >> uid: jnance-ipa >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 2 >> # numEntries: 1 >> >> >> As a side note, I'm also not able to use GSSAPI auth as you did: >> >> $ kinit >> Password for [email protected]: >> $ ldapsearch -Y GSSAPI -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone >> '(&(objectClass=posixAccount)([email protected]))' >> SASL/GSSAPI authentication started >> ldap_sasl_interactive_bind_s: Invalid credentials (49) >> > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
