Thanks a lot Alexander
Strange, I am almost sure I got no results earlier if I used uid=*xxxx*
searches
Users are perfectly found now.... both fully-qualified and wither other
queries.
Honestly, it's a bit a missing feature (for my use cases!) that RFC2307bis
draft 02 presentation is missing for AD users,
on the other side it is a very nice accomplishment that both RFC2307 in
compat and RFC2307bis in cn=accounts are available in FreeIPA.
Its a perfect platform for Linux and suitable for Unix....Because IMO LDAP
always has been a bit too complicated for system auth ;-)
$ ldapsearch -Y GSSAPI -b cn=compat,dc=accnix,dc=infrabel,dc=be
'(&(objectClass=posixAccount)(uid=*mcj*))'
SASL/GSSAPI authentication started
SASL username: admin(a)ACCNIX.INFRABEL.BE
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=accnix,dc=infrabel,dc=be> with scope subtree
# filter: (&(objectClass=posixAccount)(uid=*mcj*))
# requesting: ALL
#
# mcj7700(a)accmsnet.railb.be, users, compat, accnix.infrabel.be
dn: uid=mcj7700(a)accmsnet.railb.be
,cn=users,cn=compat,dc=accnix,dc=infrabel,dc=
be
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
gecos: x
cn: x
uidNumber: x
gidNumber: x
homeDirectory: /home/Accmsnet.railb.be/mcj7700
ipaAnchorUUID:: x
uid: mcj7700(a)accmsnet.railb.be
Thx a lot!
-- Pieter
On Wed, Jul 4, 2018 at 7:22 AM Alexander Bokovoy <abokovoy(a)redhat.com>
wrote:
On ke, 04 heinä 2018, Pieter Baele via FreeIPA-users wrote:
>Hi,
>
>On a test FreeIPA environment (4.5.0-22), a user is shown using the id
>command, so ID Override is working as well.
>id xxxx(a)accmsnet.railb.be
>uid=8028(xxx(a)Accmsnet.railb.be) gid=4030(ucc)
>groups=4030(ucc),702800513(domain users(a)Accmsnet.railb.be
>),1318400009(ad_users)
>
>However this particular (AD) user is not shown using an ldapsearch in the
>compat
>ldapsearch -Y GSSAPI -b cn=compat,dc=accnix,dc=infrabel,dc=be
>'(&(objectClass=posixAccount)(uid=xxxx))'
>
># extended LDIF
>#
># LDAPv3
># base <cn=compat,dc=accnix,dc=infrabel,dc=be> with scope subtree
># filter: (&(objectClass=posixAccount)(uid=mcj7700))
Here uid is non-fully qualified. A trigger in the compat tree plugin is
built around using fully qualified user names for AD users, e.g.
(uid=mcj770(a)accmsnet.railb.be).
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland