Thanks all, the suggestions were incredibly helpful and are working
That strikes wishlist item #1 off my list, now on to the next "wish" --
seeing if FreeIPA's LDAP service can be used to authenticate AD users
for scenarios where we can't provide a full IPA client enrollment option.
I did see your other mail list post and did reply, I'm not sure if you saw it. Anyway,
you can do this by enabling the compat tree in FreeIPA. I think this will involve you
having to run ipa-adtrust-install --enable-compat on all IPA servers that are involved
either being a trust controller or trust agent. You'll have these trees after that you
What will happen is all IPA users and groups will show up immediately, but the AD
users/groups won't until they are asked for (eg from a simple ldapsearch or bind),
which should be sufficient. In my previous cases of having to use the compat tree, it was
for legacy clients (eg BSD, Solaris/OmniOS/Illumos, and RHEL 5).