Dumb question ...
For use cases (temporary/ephemeral/auto-scaling servers) where we can't do a full ipa-client-install on a managed node is it possible to use the LDAP service on FreeIPA to check a username and password for an AD-trust user?
I've been fooling around with making AWS Parallelcluster nodes LDAP clients of a FreeIPA environment and it actually works really well with users and groups that are local to FreeIPA; it's quite a nice solution actually and solves a consistency problem for some users and groups we need to persist as HPC grids are launched and destroyed.
Was wondering idly if the LDAP service extended to being able to authenticate a user that exists within an AD-trust. It does not seem to work out of the box but I was wondering if a change of the LDAP bind DN or other settings would allow this to work?
Wanted to ask if this was even possible before I spent more time working on my ldap configs!
Regards Chris
Yes, it is possible to do so. It will require you to turn on the compatibility tree and point to do that dn. More than likely you'll need to run `ipa-adtrust-install --enable-compat` on all IPA servers that are trust controllers/agents. Once you do so, you'll get a cn=compat,... you can use.
Users: cn=users,cn=compat,dc=ipa,dc=example,dc=com Groups: cn=groups,cn=compat,dc=ipa,dc=example,dc=com
What will happen is all IPA users and groups typically show up immediately. But the AD users/groups will not until there is a query for them (eg ldapsearch or bind attempt), which should be sufficient. In my previous cases of using the compat tree, it was for Solaris, FreeBSD, and RHEL 5, and I didn't run into too many issues.
Fantastic, thanks so much. Will test ASAP on my end. Thanks confirming that this is possible!
Chris
Louis Abel via FreeIPA-users mailto:freeipa-users@lists.fedorahosted.org November 5, 2020 at 2:56 PM Yes, it is possible to do so. It will require you to turn on the compatibility tree and point to do that dn. More than likely you'll need to run `ipa-adtrust-install --enable-compat` on all IPA servers that are trust controllers/agents. Once you do so, you'll get a cn=compat,... you can use.
Users: cn=users,cn=compat,dc=ipa,dc=example,dc=com Groups: cn=groups,cn=compat,dc=ipa,dc=example,dc=com
What will happen is all IPA users and groups typically show up immediately. But the AD users/groups will not until there is a query for them (eg ldapsearch or bind attempt), which should be sufficient. In my previous cases of using the compat tree, it was for Solaris, FreeBSD, and RHEL 5, and I didn't run into too many issues.
https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=icon Virus-free. www.avast.com https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=link
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Chris Dagdigian mailto:dag@sonsorol.org November 3, 2020 at 5:07 PM Dumb question ...
For use cases (temporary/ephemeral/auto-scaling servers) where we can't do a full ipa-client-install on a managed node is it possible to use the LDAP service on FreeIPA to check a username and password for an AD-trust user?
I've been fooling around with making AWS Parallelcluster nodes LDAP clients of a FreeIPA environment and it actually works really well with users and groups that are local to FreeIPA; it's quite a nice solution actually and solves a consistency problem for some users and groups we need to persist as HPC grids are launched and destroyed.
Was wondering idly if the LDAP service extended to being able to authenticate a user that exists within an AD-trust. It does not seem to work out of the box but I was wondering if a change of the LDAP bind DN or other settings would allow this to work?
Wanted to ask if this was even possible before I spent more time working on my ldap configs!
Regards Chris
freeipa-users@lists.fedorahosted.org