Discussion:
[Freeipa-users] ldapsearch for AD users
Hanoz Elavia
2017-02-21 20:10:09 UTC
Permalink
Hello,

I've got the FreeIPA server with AD trust (Server 2008 R2) setup and
running. I can login successfully on linux clients using AD credentials.
I'm now trying to setup my Isilon storage appliance with mixed mode file
sharing.

The filer has joined the AD so it provides Windows users access to the
files. However, being a legacy client, it uses simple bind to query ldap
for uid and gid. I was able to setup FreeIPA as the ldap server but it
doesn't seem to return the uid and gid for AD objects.

The query my storage is using is as follows:

ldapsearch -x -W -z 10 -H ldap://ipa.server.com -b
'cn=compat,dc=ipa,dc=server,dc=com' -D
'uid=binduser,cn=users,cn=accounts,dc=ipa,dc=server,dc=com'
'(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=nisNetgroup)(objectClass=person))'

The following command will obtain all the IDs for the native FreeIPA users
/ groups but don't return any results for AD users. Is there a way to get
this done? I can't install any clients on the Isilon as it uses a BSD based
proprietary software. I can manually map FreeIPA assigned uids / gids but
that's tedious and error prone. Any help would be appreciated.

Regards,

H.
Martin Babinsky
2017-02-22 06:49:47 UTC
Permalink
Post by Hanoz Elavia
Hello,
I've got the FreeIPA server with AD trust (Server 2008 R2) setup and
running. I can login successfully on linux clients using AD credentials.
I'm now trying to setup my Isilon storage appliance with mixed mode file
sharing.
The filer has joined the AD so it provides Windows users access to the
files. However, being a legacy client, it uses simple bind to query ldap
for uid and gid. I was able to setup FreeIPA as the ldap server but it
doesn't seem to return the uid and gid for AD objects.
ldapsearch -x -W -z 10 -H ldap://ipa.server.com <http://ipa.server.com>
-b 'cn=compat,dc=ipa,dc=server,dc=com' -D
'uid=binduser,cn=users,cn=accounts,dc=ipa,dc=server,dc=com'
'(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=nisNetgroup)(objectClass=person))'
The following command will obtain all the IDs for the native FreeIPA
users / groups but don't return any results for AD users. Is there a way
to get this done? I can't install any clients on the Isilon as it uses a
BSD based proprietary software. I can manually map FreeIPA assigned uids
/ gids but that's tedious and error prone. Any help would be appreciated.
Regards,
H.
Hi Hanoz,

please bear in mind that in AD trust scenario the AD users are *not*
stored on IPA server so you have to query AD DC directly for AD user
attributes.
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Alexander Bokovoy
2017-02-22 07:28:52 UTC
Permalink
Post by Hanoz Elavia
Hello,
I've got the FreeIPA server with AD trust (Server 2008 R2) setup and
running. I can login successfully on linux clients using AD credentials.
I'm now trying to setup my Isilon storage appliance with mixed mode file
sharing.
The filer has joined the AD so it provides Windows users access to the
files. However, being a legacy client, it uses simple bind to query ldap
for uid and gid. I was able to setup FreeIPA as the ldap server but it
doesn't seem to return the uid and gid for AD objects.
ldapsearch -x -W -z 10 -H ldap://ipa.server.com -b
'cn=compat,dc=ipa,dc=server,dc=com' -D
'uid=binduser,cn=users,cn=accounts,dc=ipa,dc=server,dc=com'
'(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=nisNetgroup)(objectClass=person))'
The following command will obtain all the IDs for the native FreeIPA users
/ groups but don't return any results for AD users. Is there a way to get
this done? I can't install any clients on the Isilon as it uses a BSD based
proprietary software. I can manually map FreeIPA assigned uids / gids but
that's tedious and error prone. Any help would be appreciated.
There is none. Compat tree is built with RFC2307 queries in mind.
RFC2307 clients issue a request with a specific user or group name and
that triggers lookup of AD user/group through SSSD and insertion into
the compat tree. A part of the trigger is how LDAP filter is built (see
RFC for those). If your software does not use the same filter, you
wouldn't get a response.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Jason B. Nance
2017-02-22 14:32:59 UTC
Permalink
Post by Alexander Bokovoy
There is none. Compat tree is built with RFC2307 queries in mind.
RFC2307 clients issue a request with a specific user or group name and
that triggers lookup of AD user/group through SSSD and insertion into
the compat tree. A part of the trigger is how LDAP filter is built (see
RFC for those). If your software does not use the same filter, you
wouldn't get a response.
Are you saying that there is an LDAP query you can use to retrieve the UID/GID of a user/group that is known via an AD trust as long as the filter is correct? I ran into this same situation (with a storage appliance) and thought that the problem was that the UIDs/GIDs were calculated but never stored, but I hadn't stopped to think about how whether sssd (on the local machine) retrieves them from FreeIPA or does the calculation.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Alexander Bokovoy
2017-02-22 14:50:55 UTC
Permalink
Post by Jason B. Nance
Post by Alexander Bokovoy
There is none. Compat tree is built with RFC2307 queries in mind.
RFC2307 clients issue a request with a specific user or group name and
that triggers lookup of AD user/group through SSSD and insertion into
the compat tree. A part of the trigger is how LDAP filter is built (see
RFC for those). If your software does not use the same filter, you
wouldn't get a response.
Are you saying that there is an LDAP query you can use to retrieve the
UID/GID of a user/group that is known via an AD trust as long as the
filter is correct? I ran into this same situation (with a storage
appliance) and thought that the problem was that the UIDs/GIDs were
calculated but never stored, but I hadn't stopped to think about how
whether sssd (on the local machine) retrieves them from FreeIPA or does
the calculation.
Read https://pagure.io/slapi-nis/blob/master/f/doc/ipa/sch-ipa.txt
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Hanoz Elavia
2017-02-22 15:05:22 UTC
Permalink
Thanks guys,

I think there might be a way to modify the LDAP query. I'm speaking to the
EMC / Dell support personnel today to see what can be done.

Regards,

Hanoz


*Hanoz Elavia |* IT Manager
*O:* 604-734-2866 *|* *www.atomiccartoons.com
<http://www.atomiccartoons.com>*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6
Post by Alexander Bokovoy
Post by Alexander Bokovoy
There is none. Compat tree is built with RFC2307 queries in mind.
Post by Alexander Bokovoy
RFC2307 clients issue a request with a specific user or group name and
that triggers lookup of AD user/group through SSSD and insertion into
the compat tree. A part of the trigger is how LDAP filter is built (see
RFC for those). If your software does not use the same filter, you
wouldn't get a response.
Are you saying that there is an LDAP query you can use to retrieve the
UID/GID of a user/group that is known via an AD trust as long as the
filter is correct? I ran into this same situation (with a storage
appliance) and thought that the problem was that the UIDs/GIDs were
calculated but never stored, but I hadn't stopped to think about how
whether sssd (on the local machine) retrieves them from FreeIPA or does
the calculation.
Read https://pagure.io/slapi-nis/blob/master/f/doc/ipa/sch-ipa.txt
--
/ Alexander Bokovoy
Hanoz Elavia
2017-02-22 15:11:37 UTC
Permalink
Hey Alex,

Thanks for the link, isn't RFC 2307 implemented as Services for Unix in
Windows 2008 R2? Apologies for not mentioning this earlier but I haven't
enabled that mainly because SSSD now maps the IDs. Also, in the newer
version of the Windows Server, SFU seems to have been discontinued.

Since there is a possibility of us having to upgrade in the future, I tried
to keep SFU out of the picture. Please let me know your thoughts. Here's
some additional info regarding the environment:

Windows ADs: Windows Server 2008 R2
FreeIPA Server: CentOS 7.2 x86_64
FreeIPA Server Version: 4.4.0.14
FreeIPA Client Version: 4.4.0.14
SSSD Version: 1.14.0-43

Thanks,

Hanoz


*Hanoz Elavia |* IT Manager
*O:* 604-734-2866 *|* *www.atomiccartoons.com
<http://www.atomiccartoons.com>*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6
Post by Hanoz Elavia
Thanks guys,
I think there might be a way to modify the LDAP query. I'm speaking to the
EMC / Dell support personnel today to see what can be done.
Regards,
Hanoz
*Hanoz Elavia |* IT Manager
*O:* 604-734-2866 *|* *www.atomiccartoons.com
<http://www.atomiccartoons.com>*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6
Post by Alexander Bokovoy
Post by Alexander Bokovoy
There is none. Compat tree is built with RFC2307 queries in mind.
Post by Alexander Bokovoy
RFC2307 clients issue a request with a specific user or group name and
that triggers lookup of AD user/group through SSSD and insertion into
the compat tree. A part of the trigger is how LDAP filter is built (see
RFC for those). If your software does not use the same filter, you
wouldn't get a response.
Are you saying that there is an LDAP query you can use to retrieve the
UID/GID of a user/group that is known via an AD trust as long as the
filter is correct? I ran into this same situation (with a storage
appliance) and thought that the problem was that the UIDs/GIDs were
calculated but never stored, but I hadn't stopped to think about how
whether sssd (on the local machine) retrieves them from FreeIPA or does
the calculation.
Read https://pagure.io/slapi-nis/blob/master/f/doc/ipa/sch-ipa.txt
--
/ Alexander Bokovoy
Alexander Bokovoy
2017-02-22 15:22:44 UTC
Permalink
Post by Hanoz Elavia
Hey Alex,
Thanks for the link, isn't RFC 2307 implemented as Services for Unix in
Windows 2008 R2? Apologies for not mentioning this earlier but I haven't
enabled that mainly because SSSD now maps the IDs. Also, in the newer
version of the Windows Server, SFU seems to have been discontinued.
I think you are confused by the names. What Compat tree provides is an
interface on IPA side to look up identities of AD users and groups over
LDAP. Compat tree will do lookup through SSSD on your behalf. This means
we don't depend on how Windows side provides or does not provide attributes.
Everything SSSD can resolve, can be returned, be it stored in AD LDAP,
generated by SSSD, or stored in ID overrides in IPA.

But the query format is the one described in RFC 2307 because this is
what all nss implementations like nss_ldap or similar ones use in
UNIX-like environments. Windows Server is merely implementing the same
LDAP schema to allow interoperability with the same clients. Think of
Compat Tree in IPA as doing the same, just dynamically.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Hanoz Elavia
2017-02-22 16:25:52 UTC
Permalink
Thanks Alex,

Does it also means that I'll have to install the FreeIPA server with
--enable-compat ? I didn't do that.

Regards,

Hanoz


*Hanoz Elavia |* IT Manager
*O:* 604-734-2866 *|* *www.atomiccartoons.com
<http://www.atomiccartoons.com>*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6
Post by Alexander Bokovoy
Post by Hanoz Elavia
Hey Alex,
Thanks for the link, isn't RFC 2307 implemented as Services for Unix in
Windows 2008 R2? Apologies for not mentioning this earlier but I haven't
enabled that mainly because SSSD now maps the IDs. Also, in the newer
version of the Windows Server, SFU seems to have been discontinued.
I think you are confused by the names. What Compat tree provides is an
interface on IPA side to look up identities of AD users and groups over
LDAP. Compat tree will do lookup through SSSD on your behalf. This means
we don't depend on how Windows side provides or does not provide attributes.
Everything SSSD can resolve, can be returned, be it stored in AD LDAP,
generated by SSSD, or stored in ID overrides in IPA.
But the query format is the one described in RFC 2307 because this is
what all nss implementations like nss_ldap or similar ones use in
UNIX-like environments. Windows Server is merely implementing the same
LDAP schema to allow interoperability with the same clients. Think of
Compat Tree in IPA as doing the same, just dynamically.
--
/ Alexander Bokovoy
Alexander Bokovoy
2017-02-22 16:34:23 UTC
Permalink
Post by Hanoz Elavia
Thanks Alex,
Does it also means that I'll have to install the FreeIPA server with
--enable-compat ? I didn't do that.
check ipa-compat-manage tool.
Post by Hanoz Elavia
Regards,
Hanoz
*Hanoz Elavia |* IT Manager
*O:* 604-734-2866 *|* *www.atomiccartoons.com
<http://www.atomiccartoons.com>*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6
Post by Alexander Bokovoy
Post by Hanoz Elavia
Hey Alex,
Thanks for the link, isn't RFC 2307 implemented as Services for Unix in
Windows 2008 R2? Apologies for not mentioning this earlier but I haven't
enabled that mainly because SSSD now maps the IDs. Also, in the newer
version of the Windows Server, SFU seems to have been discontinued.
I think you are confused by the names. What Compat tree provides is an
interface on IPA side to look up identities of AD users and groups over
LDAP. Compat tree will do lookup through SSSD on your behalf. This means
we don't depend on how Windows side provides or does not provide attributes.
Everything SSSD can resolve, can be returned, be it stored in AD LDAP,
generated by SSSD, or stored in ID overrides in IPA.
But the query format is the one described in RFC 2307 because this is
what all nss implementations like nss_ldap or similar ones use in
UNIX-like environments. Windows Server is merely implementing the same
LDAP schema to allow interoperability with the same clients. Think of
Compat Tree in IPA as doing the same, just dynamically.
--
/ Alexander Bokovoy
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Hanoz Elavia
2017-02-22 16:40:38 UTC
Permalink
Hey Alex,

Thanks, I ran ipa-compat-manage status and it shows Plugin enabled. I'll
have a look at the link and see if we can change the query to obtain the
info required.

Regards,

Hanoz


*Hanoz Elavia |* IT Manager
*O:* 604-734-2866 *|* *www.atomiccartoons.com
<http://www.atomiccartoons.com>*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6
Post by Alexander Bokovoy
Post by Hanoz Elavia
Thanks Alex,
Does it also means that I'll have to install the FreeIPA server with
--enable-compat ? I didn't do that.
check ipa-compat-manage tool.
Post by Hanoz Elavia
Regards,
Hanoz
*Hanoz Elavia |* IT Manager
*O:* 604-734-2866 *|* *www.atomiccartoons.com
<http://www.atomiccartoons.com>*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6
Post by Hanoz Elavia
Hey Alex,
Post by Hanoz Elavia
Thanks for the link, isn't RFC 2307 implemented as Services for Unix in
Windows 2008 R2? Apologies for not mentioning this earlier but I haven't
enabled that mainly because SSSD now maps the IDs. Also, in the newer
version of the Windows Server, SFU seems to have been discontinued.
I think you are confused by the names. What Compat tree provides is an
interface on IPA side to look up identities of AD users and groups over
LDAP. Compat tree will do lookup through SSSD on your behalf. This means
we don't depend on how Windows side provides or does not provide attributes.
Everything SSSD can resolve, can be returned, be it stored in AD LDAP,
generated by SSSD, or stored in ID overrides in IPA.
But the query format is the one described in RFC 2307 because this is
what all nss implementations like nss_ldap or similar ones use in
UNIX-like environments. Windows Server is merely implementing the same
LDAP schema to allow interoperability with the same clients. Think of
Compat Tree in IPA as doing the same, just dynamically.
--
/ Alexander Bokovoy
--
/ Alexander Bokovoy
Hanoz Elavia
2017-02-22 18:08:03 UTC
Permalink
Hey Alexander,

So based on the RFC 2307 documentation, I built a test server and ran the
following command:

ldapsearch -x -W -H 'ldap://ipa.server.com' -b
'cn=compat,dc=ipa,dc=server,dc=com' -D
'uid=admin,cn=users,cn=accounts,dc=ipa,dc=server,dc=com' -s sub 'uid=
***@server.com'

It worked as expected. Then once I rebooted the test server it stopped
working. Any idea which service might be failing ?

Regards,

Hanoz
Post by Hanoz Elavia
Hey Alex,
Thanks, I ran ipa-compat-manage status and it shows Plugin enabled. I'll
have a look at the link and see if we can change the query to obtain the
info required.
Regards,
Hanoz
*Hanoz Elavia |* IT Manager
*O:* 604-734-2866 *|* *www.atomiccartoons.com
<http://www.atomiccartoons.com>*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6
Post by Alexander Bokovoy
Post by Hanoz Elavia
Thanks Alex,
Does it also means that I'll have to install the FreeIPA server with
--enable-compat ? I didn't do that.
check ipa-compat-manage tool.
Post by Hanoz Elavia
Regards,
Hanoz
*Hanoz Elavia |* IT Manager
*O:* 604-734-2866 *|* *www.atomiccartoons.com
<http://www.atomiccartoons.com>*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6
Post by Hanoz Elavia
Hey Alex,
Post by Hanoz Elavia
Thanks for the link, isn't RFC 2307 implemented as Services for Unix in
Windows 2008 R2? Apologies for not mentioning this earlier but I haven't
enabled that mainly because SSSD now maps the IDs. Also, in the newer
version of the Windows Server, SFU seems to have been discontinued.
I think you are confused by the names. What Compat tree provides is an
interface on IPA side to look up identities of AD users and groups over
LDAP. Compat tree will do lookup through SSSD on your behalf. This means
we don't depend on how Windows side provides or does not provide attributes.
Everything SSSD can resolve, can be returned, be it stored in AD LDAP,
generated by SSSD, or stored in ID overrides in IPA.
But the query format is the one described in RFC 2307 because this is
what all nss implementations like nss_ldap or similar ones use in
UNIX-like environments. Windows Server is merely implementing the same
LDAP schema to allow interoperability with the same clients. Think of
Compat Tree in IPA as doing the same, just dynamically.
--
/ Alexander Bokovoy
--
/ Alexander Bokovoy
Alexander Bokovoy
2017-02-22 19:38:46 UTC
Permalink
Post by Hanoz Elavia
Hey Alexander,
So based on the RFC 2307 documentation, I built a test server and ran the
ldapsearch -x -W -H 'ldap://ipa.server.com' -b
'cn=compat,dc=ipa,dc=server,dc=com' -D
'uid=admin,cn=users,cn=accounts,dc=ipa,dc=server,dc=com' -s sub 'uid=
It worked as expected. Then once I rebooted the test server it stopped
working. Any idea which service might be failing ?
As I said, these are dynamic entries. You should use proper queries.
I mentioned RFC2307, use section 5.2 to get proper queries.

For example, for user that would be (&(objectClass=posixAccount)(uid=%s))
where %s is ***@server.com according to your example.

This is what would be intercepted and queried through SSSD.

For example:

$ ldapsearch -Y GSSAPI -b cn=compat,dc=xs,dc=ipa,dc=cool '(&(objectClass=posixAccount)(uid=***@ad.ipa.cool))'
SASL/GSSAPI authentication started
SASL username: ***@XS.IPA.COOL
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=xs,dc=ipa,dc=cool> with scope subtree
# filter: (&(objectClass=posixAccount)(uid=***@ad.ipa.cool))
# requesting: ALL
#

# ***@ad.ipa.cool, users, compat, xs.ipa.cool
dn: uid=***@ad.ipa.cool,cn=users,cn=compat,dc=xs,dc=ipa,dc=cool
objectClass: ipaOverrideTarget
objectClass: posixAccount
objectClass: top
cn: YO!
gidNumber: 967001113
gecos: YO!
ipaAnchorUUID:: <some base64 value>
uidNumber: 967001113
loginShell: /bin/bash
homeDirectory: /home/ad.ipa.cool/user
uid: ***@ad.ipa.cool

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1
Post by Hanoz Elavia
Regards,
Hanoz
Post by Hanoz Elavia
Hey Alex,
Thanks, I ran ipa-compat-manage status and it shows Plugin enabled. I'll
have a look at the link and see if we can change the query to obtain the
info required.
Regards,
Hanoz
*Hanoz Elavia |* IT Manager
*O:* 604-734-2866 *|* *www.atomiccartoons.com
<http://www.atomiccartoons.com>*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6
Post by Alexander Bokovoy
Post by Hanoz Elavia
Thanks Alex,
Does it also means that I'll have to install the FreeIPA server with
--enable-compat ? I didn't do that.
check ipa-compat-manage tool.
Post by Hanoz Elavia
Regards,
Hanoz
*Hanoz Elavia |* IT Manager
*O:* 604-734-2866 *|* *www.atomiccartoons.com
<http://www.atomiccartoons.com>*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6
Post by Hanoz Elavia
Hey Alex,
Post by Hanoz Elavia
Thanks for the link, isn't RFC 2307 implemented as Services for Unix in
Windows 2008 R2? Apologies for not mentioning this earlier but I haven't
enabled that mainly because SSSD now maps the IDs. Also, in the newer
version of the Windows Server, SFU seems to have been discontinued.
I think you are confused by the names. What Compat tree provides is an
interface on IPA side to look up identities of AD users and groups over
LDAP. Compat tree will do lookup through SSSD on your behalf. This means
we don't depend on how Windows side provides or does not provide attributes.
Everything SSSD can resolve, can be returned, be it stored in AD LDAP,
generated by SSSD, or stored in ID overrides in IPA.
But the query format is the one described in RFC 2307 because this is
what all nss implementations like nss_ldap or similar ones use in
UNIX-like environments. Windows Server is merely implementing the same
LDAP schema to allow interoperability with the same clients. Think of
Compat Tree in IPA as doing the same, just dynamically.
--
/ Alexander Bokovoy
--
/ Alexander Bokovoy
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Jason B. Nance
2017-02-22 21:50:06 UTC
Permalink
Post by Alexander Bokovoy
For example, for user that would be (&(objectClass=posixAccount)(uid=%s))
This is what would be intercepted and queried through SSSD.
$ ldapsearch -Y GSSAPI -b cn=compat,dc=xs,dc=ipa,dc=cool
SASL/GSSAPI authentication started
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=xs,dc=ipa,dc=cool> with scope subtree
# requesting: ALL
#
objectClass: ipaOverrideTarget
objectClass: posixAccount
objectClass: top
cn: YO!
gidNumber: 967001113
gecos: YO!
ipaAnchorUUID:: <some base64 value>
uidNumber: 967001113
loginShell: /bin/bash
homeDirectory: /home/ad.ipa.cool/user
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
I'm not able to recreate this (on FreeIPA 4.4.0). "ipa-compat-manage status" says "Plugin Enabled", but searches for AD users yield no results:

$ ldapsearch -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone '(&(objectClass=posixAccount)(uid=***@lab.gen.zone))' -W -x -D 'cn=Directory Manager'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone> with scope subtree
# filter: (&(objectClass=posixAccount)(uid=***@lab.gen.zone))
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1


I'm currently logged into the machine with an AD account from a trust:

[***@lab.gen.zone@sl2aospljmp0001 ~]$ whoami
***@lab.gen.zone
[***@lab.gen.zone@sl2aospljmp0001 ~]$ id
uid=21104(***@lab.gen.zone) gid=21104(***@lab.gen.zone) groups=21104(***@lab.gen.zone),10009(lgz-lxusers),10011(lxeng),20512(domain ***@lab.gen.zone),20513(domain ***@lab.gen.zone),21112(***@lab.gen.zone),21117(***@lab.gen.zone) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023


If I search for a user that is local to IPA it works:

$ ldapsearch -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone '(&(objectClass=posixAccount)(uid=jnance-ipa))' -W -x -D 'cn=Directory Manager' -H 'ldaps://sl2mmgplidm0001.ipa.lab.gen.zone'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone> with scope subtree
# filter: (&(objectClass=posixAccount)(uid=jnance-ipa))
# requesting: ALL
#

# jnance-ipa, users, compat, ipa.lab.gen.zone
dn: uid=jnance-ipa,cn=users,cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone
cn: Jason Nance
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
gidNumber: 10008
gecos: Jason Nance
ipaAnchorUUID:: OklQQTppcGEubGFiLmdlbi56b25lOmQxYzU0NGI2LWU5YjktMTFlNi1iNWM1LT
AwNTA1NjkxMGE0NA==
uidNumber: 10008
loginShell: /bin/bash
homeDirectory: /home/jnance-ipa
uid: jnance-ipa

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


As a side note, I'm also not able to use GSSAPI auth as you did:

$ kinit
Password for ***@LAB.GEN.ZONE:
$ ldapsearch -Y GSSAPI -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone '(&(objectClass=posixAccount)(uid=***@lab.gen.zone))'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Hanoz Elavia
2017-02-22 22:07:02 UTC
Permalink
Hey Jason,

I realized I had made one more change. I setup the FreeIPA server again and
this time I added the --enable-compat with my /usr/sbin/ipa-adtrust-install
command.

Yes, I cannot use GSSAPI as well. I use simple bind to run a LDAP query. On
IPA clients I don't need to authenticate as IPA takes care of that. Hope
this helps.

Regards,

Hanoz


*Hanoz Elavia |* IT Manager
*O:* 604-734-2866 *|* *www.atomiccartoons.com
<http://www.atomiccartoons.com>*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6
Post by Alexander Bokovoy
Post by Alexander Bokovoy
For example, for user that would be (&(objectClass=posixAccount)(
uid=%s))
Post by Alexander Bokovoy
This is what would be intercepted and queried through SSSD.
$ ldapsearch -Y GSSAPI -b cn=compat,dc=xs,dc=ipa,dc=cool
SASL/GSSAPI authentication started
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=xs,dc=ipa,dc=cool> with scope subtree
# requesting: ALL
#
objectClass: ipaOverrideTarget
objectClass: posixAccount
objectClass: top
cn: YO!
gidNumber: 967001113
gecos: YO!
ipaAnchorUUID:: <some base64 value>
uidNumber: 967001113
loginShell: /bin/bash
homeDirectory: /home/ad.ipa.cool/user
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
I'm not able to recreate this (on FreeIPA 4.4.0). "ipa-compat-manage
$ ldapsearch -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone
'cn=Directory Manager'
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone> with scope subtree
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
unconfined_r:unconfined_t:s0-s0:c0.c1023
$ ldapsearch -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone
'(&(objectClass=posixAccount)(uid=jnance-ipa))' -W -x -D 'cn=Directory
Manager' -H 'ldaps://sl2mmgplidm0001.ipa.lab.gen.zone'
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone> with scope subtree
# filter: (&(objectClass=posixAccount)(uid=jnance-ipa))
# requesting: ALL
#
# jnance-ipa, users, compat, ipa.lab.gen.zone
dn: uid=jnance-ipa,cn=users,cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone
cn: Jason Nance
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
gidNumber: 10008
gecos: Jason Nance
ipaAnchorUUID:: OklQQTppcGEubGFiLmdlbi56b25lOm
QxYzU0NGI2LWU5YjktMTFlNi1iNWM1LT
AwNTA1NjkxMGE0NA==
uidNumber: 10008
loginShell: /bin/bash
homeDirectory: /home/jnance-ipa
uid: jnance-ipa
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
$ kinit
$ ldapsearch -Y GSSAPI -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
Hanoz Elavia
2017-02-22 22:08:35 UTC
Permalink
Hey Jason,

Also, my bind DN is a native FreeIPA user and doesn't exist on the Active
Directory.

Regards,

Hanoz


*Hanoz Elavia |* IT Manager
*O:* 604-734-2866 *|* *www.atomiccartoons.com
<http://www.atomiccartoons.com>*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6
Post by Hanoz Elavia
Hey Jason,
I realized I had made one more change. I setup the FreeIPA server again
and this time I added the --enable-compat with my
/usr/sbin/ipa-adtrust-install command.
Yes, I cannot use GSSAPI as well. I use simple bind to run a LDAP query.
On IPA clients I don't need to authenticate as IPA takes care of that. Hope
this helps.
Regards,
Hanoz
*Hanoz Elavia |* IT Manager
*O:* 604-734-2866 *|* *www.atomiccartoons.com
<http://www.atomiccartoons.com>*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6
Post by Alexander Bokovoy
Post by Alexander Bokovoy
For example, for user that would be (&(objectClass=posixAccount)(u
id=%s))
Post by Alexander Bokovoy
This is what would be intercepted and queried through SSSD.
$ ldapsearch -Y GSSAPI -b cn=compat,dc=xs,dc=ipa,dc=cool
SASL/GSSAPI authentication started
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=xs,dc=ipa,dc=cool> with scope subtree
# requesting: ALL
#
objectClass: ipaOverrideTarget
objectClass: posixAccount
objectClass: top
cn: YO!
gidNumber: 967001113
gecos: YO!
ipaAnchorUUID:: <some base64 value>
uidNumber: 967001113
loginShell: /bin/bash
homeDirectory: /home/ad.ipa.cool/user
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
I'm not able to recreate this (on FreeIPA 4.4.0). "ipa-compat-manage
$ ldapsearch -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone
'cn=Directory Manager'
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone> with scope subtree
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
$ ldapsearch -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone
'(&(objectClass=posixAccount)(uid=jnance-ipa))' -W -x -D 'cn=Directory
Manager' -H 'ldaps://sl2mmgplidm0001.ipa.lab.gen.zone'
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone> with scope subtree
# filter: (&(objectClass=posixAccount)(uid=jnance-ipa))
# requesting: ALL
#
# jnance-ipa, users, compat, ipa.lab.gen.zone
dn: uid=jnance-ipa,cn=users,cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone
cn: Jason Nance
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
gidNumber: 10008
gecos: Jason Nance
ipaAnchorUUID:: OklQQTppcGEubGFiLmdlbi56b25lOm
QxYzU0NGI2LWU5YjktMTFlNi1iNWM1LT
AwNTA1NjkxMGE0NA==
uidNumber: 10008
loginShell: /bin/bash
homeDirectory: /home/jnance-ipa
uid: jnance-ipa
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
$ kinit
$ ldapsearch -Y GSSAPI -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
Jason B. Nance
2017-02-22 22:19:48 UTC
Permalink
I realized I had made one more change. I setup the FreeIPA server again and this
time I added the --enable-compat with my /usr/sbin/ipa-adtrust-install command.
Is it safe to re-run ipa-adtrust-install? I have existing trusts in place.

Thanks,

j
Hanoz Elavia
2017-02-22 22:24:02 UTC
Permalink
Hey Jason,

I am not sure about that. I just rebuilt my IPA server since it's only
purpose is to authenticate users with the AD. As for the clients, I removed
them from the FreeIPA server using ipa-client-install --uninstall and
rebooted. Once they rebooted my saltstack state added them back to the
server. Sorry, I can't help you much there.

Regards,

Hanoz


*Hanoz Elavia |* IT Manager
*O:* 604-734-2866 *|* *www.atomiccartoons.com
<http://www.atomiccartoons.com>*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6
Post by Hanoz Elavia
I realized I had made one more change. I setup the FreeIPA server again
and this time I added the --enable-compat with my
/usr/sbin/ipa-adtrust-install command.
Is it safe to re-run ipa-adtrust-install? I have existing trusts in place.
Thanks,
j
Alexander Bokovoy
2017-02-23 06:26:28 UTC
Permalink
Post by Jason B. Nance
Post by Alexander Bokovoy
For example, for user that would be (&(objectClass=posixAccount)(uid=%s))
This is what would be intercepted and queried through SSSD.
$ ldapsearch -Y GSSAPI -b cn=compat,dc=xs,dc=ipa,dc=cool
SASL/GSSAPI authentication started
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=xs,dc=ipa,dc=cool> with scope subtree
# requesting: ALL
#
objectClass: ipaOverrideTarget
objectClass: posixAccount
objectClass: top
cn: YO!
gidNumber: 967001113
gecos: YO!
ipaAnchorUUID:: <some base64 value>
uidNumber: 967001113
loginShell: /bin/bash
homeDirectory: /home/ad.ipa.cool/user
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
I'm not able to recreate this (on FreeIPA 4.4.0). "ipa-compat-manage
status" says "Plugin Enabled", but searches for AD users yield no
Sorry, I forgot mention yesterday that if you didn't use
'ipa-adtrust-install --enable-compat' then one thing is missing from
compat tree configuration to allow resolution of AD users. Luckily, it
is a simple ldapadd that can fix it. You can use ipa-ldap-updater:


# cat 80-enable-compat-nsswitch.update
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
add:schema-compat-lookup-nsswitch: user

dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
add:schema-compat-lookup-nsswitch: group
# ipa-ldap-updater ./80-enable-compat-nsswitch.update

and then restart 389-ds.
Post by Jason B. Nance
$ kinit
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
I used IPA user, not AD user to bind with GSSAPI.

In FreeIPA 4.4 it should also work with AD user as well but only if the
user has ID override entry, even empty one:

# ipa idoverrideuser-add 'Default Trust View' ***@ad.ipa.cool

and now ***@ad.ipa.cool will be able to issue ldap searches
against IPA LDAP server from Linux machines. Note that ldp.exe will
still be unable to perform searches against IPA LDAP until
https://github.com/cyrusimap/cyrus-sasl/pull/424 is released in a
distribution.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Hanoz Elavia
2017-02-23 16:08:07 UTC
Permalink
Thanks Alexander,

I have rebuilt the server with compatibility and I can now query AD users.
I'll just have to confirm with Dell / EMC whether the Isilon can now handle
this.

Regards,

Hanoz
Post by Alexander Bokovoy
Post by Alexander Bokovoy
For example, for user that would be (&(objectClass=posixAccount)(uid=%s))
Post by Alexander Bokovoy
This is what would be intercepted and queried through SSSD.
$ ldapsearch -Y GSSAPI -b cn=compat,dc=xs,dc=ipa,dc=cool
SASL/GSSAPI authentication started
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=xs,dc=ipa,dc=cool> with scope subtree
# requesting: ALL
#
objectClass: ipaOverrideTarget
objectClass: posixAccount
objectClass: top
cn: YO!
gidNumber: 967001113
gecos: YO!
ipaAnchorUUID:: <some base64 value>
uidNumber: 967001113
loginShell: /bin/bash
homeDirectory: /home/ad.ipa.cool/user
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
I'm not able to recreate this (on FreeIPA 4.4.0). "ipa-compat-manage
status" says "Plugin Enabled", but searches for AD users yield no
Sorry, I forgot mention yesterday that if you didn't use
'ipa-adtrust-install --enable-compat' then one thing is missing from
compat tree configuration to allow resolution of AD users. Luckily, it
# cat 80-enable-compat-nsswitch.update dn: cn=users,cn=Schema
Compatibility,cn=plugins,cn=config
add:schema-compat-lookup-nsswitch: user
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
add:schema-compat-lookup-nsswitch: group
# ipa-ldap-updater ./80-enable-compat-nsswitch.update
and then restart 389-ds.
Post by Alexander Bokovoy
$ kinit
$ ldapsearch -Y GSSAPI -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
I used IPA user, not AD user to bind with GSSAPI.
In FreeIPA 4.4 it should also work with AD user as well but only if the
against IPA LDAP server from Linux machines. Note that ldp.exe will
still be unable to perform searches against IPA LDAP until
https://github.com/cyrusimap/cyrus-sasl/pull/424 is released in a
distribution.
--
/ Alexander Bokovoy
Loading...