Hey All,
I've been following this post to refine an ldapsearch query in an attempt to return a list of AD users via IPA:
https://www.redhat.com/archives/freeipa-users/2017-February/msg00300.html
But haven't had luck yet. What I've tried so far:
LDAPTLS_CACERT=/etc/ipa/ca.crt ldapsearch -H ldaps://idmipa03.mws.mds.xyz:636 -D "uid=admin,cn=users,cn=accounts,dc=mws,dc=mds,dc=xyz" -w "<SECRET>" -b "dc=mws,dc=mds,dc=xyz" -v "(&(objectClass=posixAccount)(uid=*))" |grep dn:
[root@idmipa03 ~]# cat ad-lookup.update dn:cn=users,cn=Schema Compatibility,cn=plugins,cn=config add:schema-compat-lookup-nsswitch: user
dn:cn=groups,cn=Schema Compatibility,cn=plugins,cn=config add:schema-compat-lookup-nsswitch: group [root@idmipa03 ~]# [root@idmipa03 ~]#
[root@idmipa03 ~]# ipa-compat-manage status Directory Manager password:
Plugin Enabled [root@idmipa03 ~]#
[root@idmipa03 ~]# [root@idmipa03 ~]# ipa-ldap-updater ad-lookup.update Update complete, no data were modified The ipa-ldap-updater command was successful [root@idmipa03 ~]#
Still I don't get a list of AD users. Did not use --enable-compat on installation of the IPA servers. What am I missing?
Tinkered around some more. This works:
LDAPTLS_CACERT=/etc/ipa/ca.crt ldapsearch -Y GSSAPI -H ldaps://idmipa03.mws.mds.xyz:636 -D "uid=admin,cn=users,cn=accounts,dc=mws,dc=mds,dc=xyz" -w "<SECRET>" -b "cn=compat,dc=mws,dc=mds,dc=xyz" "(uid=tom@mds.xyz)" -v|grep dn
On Tue, 03 Sep 2019, Tom K. via FreeIPA-users wrote:
Tinkered around some more. This works:
LDAPTLS_CACERT=/etc/ipa/ca.crt ldapsearch -Y GSSAPI -H ldaps://idmipa03.mws.mds.xyz:636 -D "uid=admin,cn=users,cn=accounts,dc=mws,dc=mds,dc=xyz" -w "<SECRET>" -b "cn=compat,dc=mws,dc=mds,dc=xyz" "(uid=tom@mds.xyz)" -v|grep dn
Compat tree internal look up triggers on a particular request pattern, as described in RFC 2307, section 5.2. For AD integration, the user or group name must be a fully-qualified one (tom@mds.xyz). It is later passed to SSSD for actual search. Thus, searches like 'uid=*' will not work.
freeipa-users@lists.fedorahosted.org