> On Срд, 11 кас 2023, Finn Fysj via FreeIPA-users wrote: > > You have to use some identity to bind to LDAP. For example, use your own > user account. > > $ ldapsearch -x -H ldap://new.ipa1 \ > -D uid=finn,cn=users,cn=accounts,dc=example,dc=com -W \ > -b cn=users,cn=accounts,dc=example,dc=com \ > '(uid=finn)' memberOf ipasshpubkey > > -D option to ldapsearch is providing LDAP DN to bind to > -W option to ldapsearch is saying 'ask for a password' > > > Perhaps somebody did set up relaxed access controls on your old IPA > servers? It is certainly not what we aim for, especially these days. That could be.
Has there been any changes to permissions? The old IPA is running: 4.6.8 The new IPA is running: 4.10.1. I've also found following on the old IPA: dn: cn=Anonymous ipaSSHPubKey read,cn=permissions,cn=pbac,dc=example,dc=com Permission name: Anonymous ipaSSHPubKey read Granted rights: read Effective attributes: ipasshpubkey Included attributes: ipasshpubkey Bind rule type: anonymous Subtree: cn=users,cn=accounts,dc=example,dc=com Raw target filter: (objectclass=posixaccount) Type: user Permission flags: SYSTEM, V2 objectclass: top, groupofnames, ipapermission, ipapermissionv2 _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
