Hi, i am using docker image freeipa/freeipa-server:almalinux-9
and did use docker-compose.yml: ... hostname: ipa.example.com environment: IPA_SERVER_HOSTNAME: ipa.example.com TZ: "Europe/Berlin" PASSWORD: 'XXX' # DEBUG_NO_EXIT: 1 command: - -U - --domain=clients.ipa.example.com # Must match the last part of the Domain-Name and must be upper case and routed to the domain - --realm=EXAMPLE.COM - --http-pin=XXX - --dirsrv-pin=XXX - --setup-dns # - --no-host-dns # Both passwords will be taken from env PASSWORD: # - --ds-password=SOMEThinK # - --admin-password=SOMEThinK #NTP - not needed, this is the server which time is taken from /etc/localtime see volumes #This server has also a chrony-daemon running here to sync time - --no-ntp # - --ntp-server=172.0.0.11 - --auto-forwarders # - --forwarder=192.168.178.1 #Error: Unable to determine the amount of available RAM - --skip-mem-check ... where ipa-server-install is called with arguments of "command:" The DNS is set up right : DNS Resource Records: clients.ipa.example.com. ... The service is setup to be on hostname: Service: DNS/[email protected] But for LDAP i cannot see ressources, only the service in freeipa: Service: ldap/[email protected] Using an Browser (jxplorer) to access LDAP, connecting to cn=etc,dc=clients,dc=ipa,dc=example,dc=com i can see a "changelog" directly after connecting cn changelog objectClass nsContainer objectClass top changeNumber 45 changeTime 20240911092231Z changeType modify objectClass changelogentry objectClass extensibleObject objectClass top targetDn idnsname=clients.ipa.example.com.,cn=dns,dc=example,dc=com changes (non string data) targetuniqueid 64af5c10xxx Don't know what that means, but it seems like it redirects to cn=etc,dc=example,dc=com, as the directory list is showing dc=example,dc=com only. in cmd ldapsearch still, i cannot query cn=etc,dc=clients,dc=ipa,dc=example,dc=com... Is that a feature of LDAP/389ds ? Maybe leading to ipa-server-install use dc=example,dc=com and setting up "change top", but SSSD/ldapsearch cannot use it? or is it a bug in ipa-server-setup? Is there a way to change basedn for ldap after installation? -- Mit freundlichen Grüßen Daniel Pätzold Konsulent M+49 151 51705386 [email protected] Penta Energy GmbH, Wildganssteig 32a, 13503 Berlin HRB Nr. 228730 B | Geschäftsführer: Dr. Stefan Reuter Am 11.09.24 um 13:57 schrieb Florence Blanc-Renaud:
Hi, On Wed, Sep 11, 2024 at 1:45 PM Daniel Paetzold via FreeIPA-users <[email protected]> wrote: I have setup FreeIPA to use a domain like clients.ipa.example.com <http://clients.ipa.example.com> When starting SSSD now, it tries to find th ipaDomainResolutionOrder in [(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=clients,dc=ipa,dc=example,dc=com] at this DN, my LDAP Instance has no informations (no result). So SSSD is refusing to work with: [sdap_get_generic_ext_step] (0x0400): [RID#1] calling ldap_search_ext with [(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=clients,dc=ipa,dc=example,dc=com]. [sdap_get_generic_ext_step] (0x1000): [RID#1] Requesting attrs: [ipaDomainResolutionOrder] [ipa_domain_resolution_order_done] (0x0040): [RID#1] Failed to get the domains' resolution order configuration from the server [22]: Wrong Argument I can sucessfully query the LDAP- Tree at [(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=penta-energy,dc=de] at the server neither cn=etc,dc=ipa,dc=penta-energy,dc=de nor cn=etc,dc=clients,dc=ipa,dc=example,dc=com is working. i setup freeipa-install with domain=clients.ipa.example.com <http://clients.ipa.example.com> what have i done wrong? Should LDAP deliver dc=clients,dc=ipa,dc=example,dc=com or is cn=etc,dc=penta-energy,dc=de right and SSSD is doing it wrong? If the server was installed with *ipa-server-install --domain clients.ipa.example.com <http://clients.ipa.example.com>*, then the LDAP server will create the entries below dc=clients,dc=ipa,dc=example,dc=com. How exactly did you setup the server? Any idea how the tree below cn=etc,dc=penta-energy,dc=de was created? flo Regard, Daniel -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
