Cannot authenticate Microsoft AD user account through Freeipa IdM

I installed and set up user authentication with the FreeIPA IdM server. The FreeIPA server has a one-way trust connection to AD. All the users created in the FreeIPA can successfully authenticate through the dex web, but the users from AD cannot authenticate.
The open OnDemand node has CentOS 7.9 OS, and SSSD and FreeIPA client installed.
I suspect the issue is with Freipa configuration since ldapsearch output does not object even though the account exists in the AD and can ssh into the Open OnDemand node and the HPC cluster through the FreeIPA
Hope you can help

ldapsearch -x -h -b ‘,dc=mendy,dc=mrc,dc=gm’ -D ‘uid=xxxxx,cn=users,cn=accounts,dc=mendy,dc=mrc,dc=gm’ -W

extended LDIF
base <,dc=mendy,dc=mrc,dc=gm> with scope subtree
filter: (objectclass=*)
requesting: ALL
search result
search: 2
result: 32 No such object
matchedDN: dc=mendy,dc=mrc,dc=gm

@tdockendorf please advise. I’m not sure how the setup works and/or looks like with one identity provider being a shadow for another.

I think this is the clue we need to focus on, but I’m not even sure where to start. Maybe you need a query string that can account for both users? I’m not so good at ldap that I’d know all the fields you’d need to search by.

This seems more like a question for FreeIPA mailing list or whatever systems are setup for people using FreeIPA to ask questions. I have no experience with FreeIPA other than to know it didn’t meet my needs for identity management when I tried it out like 7 or 8 years ago. I know nothing about how a one-way trust works with FreeIPA as that didn’t exist when I tried it out years ago. If I had to guess, the trust is setup incorrectly so FreeIPA can’t validate passwords.

I think you are using wrong values for ldapsearch flags. The “-b” flag is baseDN, that would be like “ou=Users,dc=example,dc=com”. If you set the baseDN to some user account, ldapsearch won’t be able to see other user accounts because you’d essentially scoped the search to a single user.

Thank you very much.
I think the issue is with ldapsearch since the AD users can login into the HPC and the Open OnDemand node through ssh with the AD user name and password, and when ssh into the node with AD user and execute the command "id
it gives you the user name and all the groups list.

Hi All,
It seems freeipa IdM with one-way trust AD cannot be used for OOD authentication because of the way Freeipa authenticate AD user through group SID authentication.
below are the details
"The crucial factor in realizing this is that Active Directory users are recognized to the FreeIPA domain not by their Active Directory user entry but by their Active Directory group memberships.** In a sense, Active Directory users are not trusted by the FreeIPA domain — Active Directory groups are.

Active Directory groups have different attributes than Linux groups and, therefore, additional attributes than FreeIPA groups. Most critically, Active Directory groups are not POSIX groups, while FreeIPA groups are. But this, mapping Active Directory group SIDs to FreeIPA group members means that group structure in FreeIPA is essential.

FreeIPA has introduced an intermediary, non-POSIX group type, external groups, which allow entities outside FreeIPA or a Linux system to be added as a member. That external group can then be added to a standard FreeIPA (POSIX) group as a member.

When Active Directory groups are added to a FreeIPA group, they can be identified by their SID or by name, in the formats DOMAIN\group_name or group_name@domain. FreeIPA then resolves the group name to the SID and stores the SID as the group member entry, compared to any offered user PAC."
thus, freeipa cannot work with OOD for users from the trusted Active directory


This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.