Hello all!
I'm migration our old LDAP infra to IPA 4.6.5 (rhel 7) with an external trust to Windows. Previously, all users were their shortname because we replicated AD users to LDAP. Most users reside in AD, but we have *nix-only users in LDAP. Everything seems fine for rhel7+ because sssd can do multi-domain search and thus allow me to use shortname instead of user+domain.
My issue is on the rhel6 servers: sssd there is 1.13.3, so multi-domain isn't available... Which is a bummer for me because we have 1000+ rhel6 servers and this is going to be a pain to have sometimes longnames, sometimes shortnames. Has anyone work around this already? I considered my options: - Try to use sssd proxy - Try sss_override - Write a plugin for sssd to search to IPA's idoverride and return a match - Sob in front of an IPA at a pub :)
Thanks for your inputs!
As far as I know, it isn't possible on 1.13.3. You would need to get a newer SSSD version (not recommended from a RHEL support standpoint). See this from the archive: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi Louis, Yes, saw this in the archive and I understand the root cause, I just wanted to know how some people work around this. Currently I'm trying to build my own sssd 1.16 on rhel6 and see how far I can go. Thanks
Hello,
My issue is on the rhel6 servers: sssd there is 1.13.3, so multi-domain isn't available... Which is a bummer for me because we have 1000+ rhel6 servers and this is going to be a pain to have sometimes longnames, sometimes shortnames. Has anyone work around this already? I considered my options:
- Try to use sssd proxy
- Try sss_override
- Write a plugin for sssd to search to IPA's idoverride and return a match
- Sob in front of an IPA at a pub :)
We have a similar set-up (mixed environment) and requirements; all of our users are AD users, and our administrative accounts are IDM users (less than 10).
How many IDM-only users (*nix users in this case) are there? If you're not worried about them needing to use a full domain login (longname), then you could use the following configuration within your sssd.conf file:
[sssd] services = nss, sudo, pam, ssh domains = IDM-DOMAIN full_name_format = %1$s domain_resolution_order = AD-DOMAIN,IDM-DOMAIN default_domain_suffix = AD-DOMAIN
This allows our AD users to continue logging in with a shortname; a seamless transition for them. But, our IDM-only users (*nix users for you) will have to login with the full longname, i.e. user@your.ipa.domain; those users can be queried initially via `getent passwd user@your.ipa.domain` or `groups user@your.ipa.domain`, and once in the cache the "shortname" format can be used. And, because we're using the "full_name_format = %1$s", there is only a shortname with file listings, etc.
As a side note, we upgraded from IPAv3 to IPAv4 with an AD trust, and originally all IDM users were copies of AD users. This is why the configuration described above works best for us. The bulk of our users had a seamless transition, and only our administrators had to use the longname format post-upgrade on EL6 nodes. There are a few other oddities with work-arounds required on EL6 for IDM-only users, but for the most part the upgrade had no issues.
HTH, John DeSantis
Il giorno mer 11 dic 2019 alle ore 04:30 S Toulmonde via FreeIPA-users freeipa-users@lists.fedorahosted.org ha scritto:
Hello all!
I'm migration our old LDAP infra to IPA 4.6.5 (rhel 7) with an external trust to Windows. Previously, all users were their shortname because we replicated AD users to LDAP. Most users reside in AD, but we have *nix-only users in LDAP. Everything seems fine for rhel7+ because sssd can do multi-domain search and thus allow me to use shortname instead of user+domain.
My issue is on the rhel6 servers: sssd there is 1.13.3, so multi-domain isn't available... Which is a bummer for me because we have 1000+ rhel6 servers and this is going to be a pain to have sometimes longnames, sometimes shortnames. Has anyone work around this already? I considered my options:
- Try to use sssd proxy
- Try sss_override
- Write a plugin for sssd to search to IPA's idoverride and return a match
- Sob in front of an IPA at a pub :)
Thanks for your inputs! _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi John, Yes your previous setup is quite similar to what we have (and what we're migrating away from): an LDAP server in Unix with accounts from AD that are being synchronized.
Unfortunately our userbase is in AD (we have around 4000 users) and our *nix userbase is also rather large (around 6000).
For the server-side, we have around 8000 Rhel7 and 1000 Rhel6 -> we're outphasing rhel6, but you know how outphasing goes... So I want a long-last setup I could use across my environments.
Thanks,
freeipa-users@lists.fedorahosted.org
-
John Desantis -
Louis Abel -
S Toulmonde