On 15.06.23 15:27, Rob Crittenden wrote:
Ronald Wimmer via FreeIPA-users wrote:
On 01.06.23 08:10, Ronald Wimmer via FreeIPA-users wrote:
On 31.05.23 20:18, Alexander Bokovoy wrote:
On Wed, 31 May 2023, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote:
We managed to integrate AIX IPA clients successfully some time ago.
sudo
was also working fine. A few weeks ago sudo stopped working.
It begs the question: what happened a few weeks ago? Did you upgrade
anything?
My AIX colleagues say no.
What version of IPA server?
What version of slapi-nis package?
Version : 0.60.0
Release : 1.module+el8.7.0+20837+581a7c1e
The /etc/ldap.conf on our AIX clients contains the following line:
sudoers_base cn=users,cn=compat,ou=sudoers,dc=linux,dc=mydomain,dc=at
I believe it should be ou=sudoers,dc=linux,dc=mydomain,dc=at
Why don't I see an ou=sudoers with an LDAP browser? Is there some kind
of magic going on I am not aware of?
If we try to look that up with an LDAP browser we do not even find
a OU
named "sudoers". Did the LDAP structure change in the recent past?
What
should the sudoers_base line contain?
Changes were made in slapi-nis which provides the compat tree but
like I
said, I don't know that cn=users,cn=compat,ou=sudoers would have ever
worked.
Indeed. That DN would have never matched anything.
I agree because that DN simply does not exist in the LDAP tree.
# grep -E 'dn: .*,cn=Schema Compatibility|schema-compat-container'
/etc/dirsrv/slapd-IPA-TEST/dse.ldif
Here is where confusion starts for me. What is that compat stuff?
Should I be able to see that in the LDAP tree with an LDAP browser or
is there a different mechanism in place? (I am only aware that one can
import and export ldif files...)
So... any hints here on how to proceed?
The compat trees are virtual and not advertised as backends which is why
LDAP browsers can't find them. Navigating directly to it should work, or
use ldapsearch.
Thank you! I could find it by navigating to it directly. Unfortunately,
I do not see a "sudoers" entry in the compat tree. Where should it be
located?
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
