Again, I appreciate your help.

seemingly my lidf perhaps was not loaded correctly.
I see no userPassword attribute.

ldapsearch -x -b dc=nes,dc=edited,dc=com

# ttest, users, accounts, nes.edited.com
dn: uid=ttest,cn=users,cn=accounts,dc=nes,dc=edited,dc=com
displayName: Tim  Test
cn: Tim  Test
title: test User
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: inetUser
objectClass: posixAccount
objectClass: krbPrincipalAux
objectClass: radiusprofile
loginShell: /bin/bash
gidNumber: 1002
gecos: Tim  Test
sn: Test
homeDirectory: /home/ttest
uid: ttest
mail: tim.t...@nes.edited.com
krbPrincipalName: tt...@edited
initials: TT
uidNumber: 1102
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=nes,dc=edited,dc=com
krbLastPwdChange: 20091006002554Z
krbPasswordExpiration: 20091006002554Z
givenName: Tim

This is the .ldif file I added, but I do not see a  "userPassword" attibute in 
it.
Am i using a correct .ldif file?


dn: cn=NIS Server, cn=plugins, cn=config
add: objectclass: top
add: objectclass: nsSlapdPlugin
add: objectclass: extensibleObject
add: cn: NIS Server
add: nsslapd-pluginpath: /usr/lib/dirsrv/plugins/nisserver-plugin.so
add: nsslapd-plugininitfunc: nis_plugin_init
add: nsslapd-plugintype: object
add: nsslapd-pluginenabled: on
add: nsslapd-pluginid: nis-server
add: nsslapd-pluginversion: 0.15
add: nsslapd-pluginvendor: redhat.com
add: nsslapd-plugindescription: NIS Server Plugin
add: nis-tcp-wrappers-name: nis-server

dn: nis-domain=rwceng+nis-map=passwd.byname, cn=NIS Server, cn=plugins, 
cn=config
add: objectclass: top
add: objectclass: extensibleObject
add: nis-domain: rwceng
add: nis-map: passwd.byname
add: nis-base: cn=Users, dc=nes, dc=edited, dc=com
add: nis-secure: no

dn: nis-domain=rwceng+nis-map=passwd.byuid, cn=NIS Server, cn=plugins, cn=config
add: objectclass: top
add: objectclass: extensibleObject
add: nis-domain: rwceng
add: nis-map: passwd.byuid
add: nis-base: cn=Users, dc=nes, dc=edited, dc=com
add: nis-secure: no

dn: nis-domain=rwceng+nis-map=group.byname, cn=NIS Server, cn=plugins, cn=config
add: objectclass: top
add: objectclass: extensibleObject
add: nis-domain: rwceng
add: nis-map: group.byname
add: nis-base: cn=Groups, dc=nes, dc=edited, dc=com
add: nis-secure: no

dn: nis-domain=rwceng+nis-map=group.bygid, cn=NIS Server, cn=plugins, cn=config
add: objectclass: top
add: objectclass: extensibleObject
add: nis-domain: rwceng
add: nis-map: group.bygid
add: nis-base: cn=Groups, dc=nes, dc=edited, dc=com
add: nis-secure: no

dn: nis-domain=rwceng+nis-map=group.upg, cn=NIS Server, cn=plugins, cn=config
add: objectclass: top
add: objectclass: extensibleObject
add: nis-domain: rwceng
add: nis-map: group.upg
add: nis-base: cn=Users, dc=nes, dc=edited, dc=com
add: nis-filter: (objectclass=posixAccount)
add: nis-key-format: %{uid}
add: nis-value-format: %{uid}:*:%{gidNumber}:%{uid}
add: nis-secure: no
add: nis-disallowed-chars: :,

dn: nis-domain=rwceng+nis-map=netid.byname, cn=NIS Server, cn=plugins, cn=config
add: objectclass: top
add: objectclass: extensibleObject
add: nis-domain: rwceng
add: nis-map: netid.byname
add: nis-base: cn=Users, dc=nes, dc=edited, dc=com
add: nis-secure: no



Nalin Dahyabhai wrote:
On Tue, Oct 06, 2009 at 11:33:02AM -0700, Gary Verhulp wrote:
Thanks for the response.
I have the NIS config on the client setup correctly I believe.
This client was moved from my current NIS domain and works fine.

It's not that the client does not bind to the new FreeIPA NIS domain, but rather there is no passwd hash in the output of ypcat -k passwd so it has no way to auth.

ga...@fell:/var/log$ ypcat -k passwd
ttest ttest:*:1102:1002:Tim  Test:/home/ttest:/bin/bash

The plugin's default configuration has it search for a "crypt" style
value in the userPassword attribute for that entry, which is what a
client would understand.  (Specifically, it looks for an entry that
begins with the magic value "{CRYPT}", strips that off of the front, and
puts the rest into that field.  Failing that, it uses "*".)

If you use ldapsearch to search for ttest's entry as the directory
administrator, do you see values of the form "{CRYPT}xxxxxxxxxxxxx" for
the entry's "userPassword" attribute?

If they're base64-encoded (marked by two ':' characters instead of one
between the attribute name and value in the LDIF output), you may need
to pipe the value through "openssl base64 -d" or something similar.

Nalin

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to