On ke, 23 marras 2022, Yanlish Hesap wrote:
Thanks, I have stumbled upon a solution yesterday, which was to change the
ldap search base to cn=compat,dc=ipa,dc=localdomain (from
dc=ipa,dc=localdomain). The curious thing is "dc=ipa,dc=localdomain" as the
search base was working before the RHEL8 patch cycle. Wondering if that was
a bug that made our lookups work as a fluke, or is it a new thing that
cn=compat needs to be explicitly specified?
There were a number of changes in the recent slapi-nis release and it
might be affecting you in this way. Since your search filter will not
match any of IPA users/groups anyway due to explicit use of AD domain as
required for the compat tree, I'd recommend to set the base DN to
cn=compat,dc=ipa,dc=localdomain instead.
Thanks!
On Tue, Nov 22, 2022 at 8:08 PM Alexander Bokovoy <[email protected]>
wrote:
This looks like you are relying on the compat tree functionality for
represent AD users in the compat tree (cn=compat,$BASEDN). Compat tree
is using SSSD on IPA master to resolve these requests so there should be
traces of those operations, if it succeeded/failed. Raise debug logs in
SSSD to see those.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
