[Freeipa-users] Re: 2fa not working on compat tree

Alexander Bokovoy via FreeIPA-users Wed, 30 May 2018 06:48:35 -0700

On ke, 30 touko 2018, Adam Bishop via FreeIPA-users wrote:

Ah ha. I think you've pointed me to the root cause - the compat plugin has 2 
priority attributes!


Which is correct - 40 or 49?

It should be below ipa_pwd_extop's one, i.e. 40.

But even with that, ipa-pwd-extop reads wrong variable, so it doesn't
get a rewritten bind DN pointing to the primary LDAP tree object.
Instead, it reads compat tree object which doesn't have correct data it
needs to use to authenticate.

Could you please open a ticket at pagure.io/freeipa and attach logs you
posted here?


SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (nsslapd-pluginprecedence=*)
# requesting: cn nsslapd-pluginprecedence
#

# IPA MODRDN, plugins, config
dn: cn=IPA MODRDN,cn=plugins,cn=config
cn: IPA MODRDN
nsslapd-pluginprecedence: 60

# ipa-winsync, plugins, config
dn: cn=ipa-winsync,cn=plugins,cn=config
cn: ipa-winsync
nsslapd-pluginprecedence: 60

# ipa_pwd_extop, plugins, config
dn: cn=ipa_pwd_extop,cn=plugins,cn=config
cn: ipa_pwd_extop
nsslapd-pluginprecedence: 49

# Posix Winsync API, plugins, config
dn: cn=Posix Winsync API,cn=plugins,cn=config
cn: Posix Winsync API
nsslapd-pluginprecedence: 25

# referential integrity postoperation, plugins, config
dn: cn=referential integrity postoperation,cn=plugins,cn=config
cn: referential integrity postoperation
nsslapd-pluginprecedence: 40

# Retro Changelog Plugin, plugins, config
dn: cn=Retro Changelog Plugin,cn=plugins,cn=config
cn: Retro Changelog Plugin
nsslapd-pluginprecedence: 25

# Schema Compatibility, plugins, config
dn: cn=Schema Compatibility,cn=plugins,cn=config
cn: Schema Compatibility
nsslapd-pluginprecedence: 49
nsslapd-pluginprecedence: 40

# AES, Password Storage Schemes, plugins, config
dn: cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config
cn: AES
nsslapd-pluginprecedence: 1

# search result
search: 2
result: 0 Success

# numResponses: 9
# numEntries: 8
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/P34J3YM7VXBYP4OHC4EPZBHZEZZJW7RZ/


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/ACUKZZHZNHWW33FKYPBBCOIV7OOFQPN7/

[Freeipa-users] Re: 2fa not working on compat tree

Reply via email to