On Thu, Jul 22, 2010 at 11:07 AM, Sumit Bose <sb...@redhat.com> wrote:
> On Thu, Jul 22, 2010 at 10:19:37AM +0200, Sumit Bose wrote: > > On Wed, Jul 21, 2010 at 03:22:29PM -0400, Scott Duckworth wrote: > > > > ... > > > > > > > > "something bad happened" isn't very useful. And since SSS refuses to > try > > > and authenticate users without an encrypted connection, I can't easily > use > > > wireshark and friends to debug at the protocol level. While I could > > > probably patch the source to print the actual LDAP error with > > > ldap_err2string(), or maybe gdb the process and set a breakpoint when > things > > > go wrong to hopefully get some more useful information, this is beyond > what > > > I'd normally consider doing when deploying new software. Any > suggestions? > > > > I'm currently installing eDirectory and I will try to reproduce the > > behaviour you have found. > > I have run some basic authentication test with eDirectory 8.8-SP5 and > everything worked fine. I have to admit that I have used the current > master of sssd which includes a lot of changes to the LDAP code. Would > you mind to test our current beta release from > http://kojipkgs.fedoraproject.org/packages/sssd/1.2.91/21.fc14/ . It is > for rawhide but should work fine on F13, too. > Sure, I'll give it a shot and report back what I find. > I also didn't use LDAP aliases. Can you check if setting DEREF in > /etc/openldap/ldap.conf helps? If not, can you give a short description > how aliases are used in your case so that I can set up a similar > environment? > Setting DEREF to always in /etc/openldap/ldap.conf works. Aliasing is only needed for one DN in our tree: everyone's default group is aliased to another DN in another branch of the tree. I wish there were some way to enable aliasing on a per-map basis (e.g. only groups or only users) so that you'd only take the performance hit where necessary, but I'm not aware of any NSS LDAP client that does this. > Thanks. > > bye, > Sumit > > > > > > > > > Moving on... > > > > > > We will need to dereference LDAP aliases but I have not yet been able > to > > > find a setting to enable this. I also have not found the equivalent of > the > > > > I have added a RFE to sssd trac > > (https://fedorahosted.org/sssd/ticket/568). As a sort term fix you can > > add the appropriate DEREF option to /etc/openldap/ldap.conf. > > > > > pam_password_prohibit_message setting in /etc/ldap.conf; while not > strictly > > > required, it is nice to refer users to the proper way to change > passwords in > > > our environment. > > > > Currently there is only a configurable message if password resets by > > root fail. I have added https://fedorahosted.org/sssd/ticket/569 to > > track this. > > > > bye, > > Sumit > > > > > > > > Any help would be appreciated. Thanks! > > > > > > Scott Duckworth, Systems Programmer II > > > Clemson University School of Computing > > > > > _______________________________________________ > > > Freeipa-users mailing list > > > Freeipa-users@redhat.com > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
