Is it somehow possible to have the uid field in cn=users,cn=compat,dc=accnix,dc=infrabel,dc=be without the domain extension?
It is causing problems for AD users using an IPA-AD trust
This problem was also discussed in https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Sincerely Pieter
On ke, 25 heinä 2018, Pieter Baele via FreeIPA-users wrote:
Is it somehow possible to have the uid field in cn=users,cn=compat,dc=accnix,dc=infrabel,dc=be without the domain extension?
No, it is *not* possible. The whole idea of compat tree is to trigger lookups only when @ad.domain is present, otherwise it will be very inefficient in terms of performance.
Ok, thanks for the clarification.
So there is *no* possibility to serve AIX completely... There goes the use-case for our Unix admins - np ;-)
On Wed, Jul 25, 2018 at 1:56 PM Alexander Bokovoy abokovoy@redhat.com wrote:
On ke, 25 heinä 2018, Pieter Baele via FreeIPA-users wrote:
Is it somehow possible to have the uid field in cn=users,cn=compat,dc=accnix,dc=infrabel,dc=be without the domain extension?
No, it is *not* possible. The whole idea of compat tree is to trigger lookups only when @ad.domain is present, otherwise it will be very inefficient in terms of performance.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
On ke, 25 heinä 2018, Pieter Baele wrote:
Ok, thanks for the clarification.
So there is *no* possibility to serve AIX completely... There goes the use-case for our Unix admins - np ;-)
You can server IPA users there. Anything else really depends on AIX playing together which it is not, it seems.
On Wed, Jul 25, 2018 at 1:56 PM Alexander Bokovoy abokovoy@redhat.com wrote:
On ke, 25 heinä 2018, Pieter Baele via FreeIPA-users wrote:
Is it somehow possible to have the uid field in cn=users,cn=compat,dc=accnix,dc=infrabel,dc=be without the domain extension?
No, it is *not* possible. The whole idea of compat tree is to trigger lookups only when @ad.domain is present, otherwise it will be very inefficient in terms of performance.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
Nope, not the first one ... not a lot of customers moving to AIX nowadays :D
On Wed, Jul 25, 2018 at 2:40 PM Alexander Bokovoy abokovoy@redhat.com wrote:
On ke, 25 heinä 2018, Pieter Baele wrote:
Ok, thanks for the clarification.
So there is *no* possibility to serve AIX completely... There goes the use-case for our Unix admins - np ;-)
You can server IPA users there. Anything else really depends on AIX playing together which it is not, it seems.
On Wed, Jul 25, 2018 at 1:56 PM Alexander Bokovoy abokovoy@redhat.com wrote:
On ke, 25 heinä 2018, Pieter Baele via FreeIPA-users wrote:
Is it somehow possible to have the uid field in cn=users,cn=compat,dc=accnix,dc=infrabel,dc=be without the domain extension?
No, it is *not* possible. The whole idea of compat tree is to trigger lookups only when @ad.domain is present, otherwise it will be very inefficient in terms of performance.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Pieter Baele