Thanks a lot Alexander

Strange, I am almost sure I got no results earlier if I used uid=*xxxx* searches

Users are perfectly found now.... both fully-qualified and wither other queries.

Honestly, it's a bit a missing feature (for my use cases!) that RFC2307bis draft 02 presentation is missing for AD users,

on the other side it is a very nice accomplishment that both RFC2307 in compat and RFC2307bis in cn=accounts are available in FreeIPA.

Its a perfect platform for Linux and suitable for Unix....Because IMO LDAP always has been a bit too complicated for system auth ;-)

$ ldapsearch -Y GSSAPI -b cn=compat,dc=accnix,dc=infrabel,dc=be '(&(objectClass=posixAccount)(uid=*mcj*))'

SASL/GSSAPI authentication started

SASL username: admin@ACCNIX.INFRABEL.BE

SASL SSF: 56

SASL data security layer installed.

# extended LDIF

# LDAPv3

# base <cn=compat,dc=accnix,dc=infrabel,dc=be> with scope subtree

# filter: (&(objectClass=posixAccount)(uid=*mcj*))

# requesting: ALL

# mcj7700@accmsnet.railb.be, users, compat, accnix.infrabel.be

dn: uid=mcj7700@accmsnet.railb.be,cn=users,cn=compat,dc=accnix,dc=infrabel,dc=

objectClass: posixAccount

objectClass: ipaOverrideTarget

objectClass: top

gecos: x

cn: x

uidNumber: x

gidNumber: x

homeDirectory: /home/Accmsnet.railb.be/mcj7700

ipaAnchorUUID:: x

uid: mcj7700@accmsnet.railb.be

Thx a lot!

-- Pieter

On Wed, Jul 4, 2018 at 7:22 AM Alexander Bokovoy <abokovoy@redhat.com> wrote:

On ke, 04 heinä 2018, Pieter Baele via FreeIPA-users wrote:
>Hi,
>
>On a test FreeIPA environment (4.5.0-22), a user is shown using the id
>command, so ID Override is working as well.
>id xxxx@accmsnet.railb.be
>uid=8028(xxx@Accmsnet.railb.be) gid=4030(ucc)
>groups=4030(ucc),702800513(domain users@Accmsnet.railb.be
>),1318400009(ad_users)
>
>However this particular (AD) user is not shown using an ldapsearch in the
>compat
>ldapsearch -Y GSSAPI -b cn=compat,dc=accnix,dc=infrabel,dc=be
>'(&(objectClass=posixAccount)(uid=xxxx))'
>
># extended LDIF
>#
># LDAPv3
># base <cn=compat,dc=accnix,dc=infrabel,dc=be> with scope subtree
># filter: (&(objectClass=posixAccount)(uid=mcj7700))
Here uid is non-fully qualified. A trigger in the compat tree plugin is
built around using fully qualified user names for AD users, e.g.
(uid=mcj770@accmsnet.railb.be).

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland