Currently in an environment with trust to AD the compat tree does not show AD users as members of IPA groups. The reason is that IPA groups are read directly from the IPA DS tree and external groups are not handled.
External group memberships seem to be broken for legacy clients. We should fix this in 4.0.x if possible.
Assigning to Alexander, he knows slapi-nis well. This may be also fixed together with other slapi-nis changes in FreeIPA 4.1.
FreeIPA 4.0.1 was released, moving to next bugfixing release milestone.
I am moving rather to 4.1 milestone as this as an RFE (also, the change would be done in slapi-nis component anyway).
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1138797
There was no time for this ticket in 4.1 - moving to later release.
This would require some serious work in slapi-nis. It may be a potential target after Global Catalog work (#3125).
FreeIPA slapi-nis config part of the ticket filed downstream.
slapi-nis plugin contains new functionality to solve this ticket.
Its configuration needs to be updated on IPA server.
patch on a list: http://www.redhat.com/archives/freeipa-devel/2016-February/msg00160.html
new sssd in updates testing: https://bodhi.fedoraproject.org/updates/FEDORA-2016-37a285ae63
Metadata Update from @sbose:
- Issue assigned to abbra
- Issue set to the milestone: FreeIPA 4.2.4
to comment on this ticket.