I have successfully setup a Solaris 10 client so that internal FreeIPA users can login, get the correct shell, and can sudo to root using ldap.
The problem is that the AD trusted users cannot login. I have read all the freeIPA docs about enabling legacy clients, and they say to use the compat tree. I'm pretty sure I'm already doing this. Here is the contents of the ldap_client_file from my Solaris machine (which was downloaded automatically when I did ldapclient init): # # Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead. # NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= ipadc1.mydomain.net NS_LDAP_SEARCH_BASEDN= dc=mydomain,dc=net NS_LDAP_AUTH= none NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_TIME= 15 NS_LDAP_PROFILE= default NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=mydomain,dc=net NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=mydomain,dc=net NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount I see that the users are coming from the accounts tree and the groups are coming from the compat tree. Is this right? The trust was created with --enable-compat so I'm surprised that only the groups are coming from the compat tree. Does FreeIPA serve up an improperly configured DefaultDUAProfile? I couldn't login with this configuration, so I switched the passwd line to cn=compat just to test, but that didn't seem to work. Here is the result of getent passwd on solaris (last 2 lines): admin:x:375200000:375200000:Administrator:/home/admin:/bin/bash ipauser1:x:375200006:375200006:ipa user1:/home/ipauser1:/bin/bash So once again, we can see FreeIPA users, but not AD users. I don't think this is a Solaris problem because when I go onto my windows desktop and load ldp.exe and view the ldap tree, I can view cn=compat,dc=mydomain,dc=net However, the compat tree has a users section that only includes my FreeIPA internal users. So my questions are : 1.)What is the point of a compat tree in FreeIPA if it doesn't list AD users? 2.)How do I get my compat tree to list my AD users? 3.)If there is something manual I have to do to make my compat tree show AD users, why is this not done when enable the trust with --enable-compat. >From what I can see, my compat tree basically contains the exact same users and groups as my regular tree, so it will never allow a client using ldap only auth to see the AD users? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
