On Thu, Jul 22, 2010 at 11:19:44AM -0400, Scott Duckworth wrote: > On Thu, Jul 22, 2010 at 11:07 AM, Sumit Bose <[email protected]> wrote: > > > On Thu, Jul 22, 2010 at 10:19:37AM +0200, Sumit Bose wrote: > > > On Wed, Jul 21, 2010 at 03:22:29PM -0400, Scott Duckworth wrote: > > > > > > ... > > > > > > > > > > > "something bad happened" isn't very useful. And since SSS refuses to > > try > > > > and authenticate users without an encrypted connection, I can't easily > > use > > > > wireshark and friends to debug at the protocol level. While I could > > > > probably patch the source to print the actual LDAP error with > > > > ldap_err2string(), or maybe gdb the process and set a breakpoint when > > things > > > > go wrong to hopefully get some more useful information, this is beyond > > what > > > > I'd normally consider doing when deploying new software. Any > > suggestions? > > > > > > I'm currently installing eDirectory and I will try to reproduce the > > > behaviour you have found. > > > > I have run some basic authentication test with eDirectory 8.8-SP5 and > > everything worked fine. I have to admit that I have used the current > > master of sssd which includes a lot of changes to the LDAP code. Would > > you mind to test our current beta release from > > http://kojipkgs.fedoraproject.org/packages/sssd/1.2.91/21.fc14/ . It is > > for rawhide but should work fine on F13, too. > > > > Sure, I'll give it a shot and report back what I find. > > > > I also didn't use LDAP aliases. Can you check if setting DEREF in > > /etc/openldap/ldap.conf helps? If not, can you give a short description > > how aliases are used in your case so that I can set up a similar > > environment? > > > > Setting DEREF to always in /etc/openldap/ldap.conf works. Aliasing is only
nice, so authentication is working for you now? > needed for one DN in our tree: everyone's default group is aliased to > another DN in another branch of the tree. I wish there were some way to > enable aliasing on a per-map basis (e.g. only groups or only users) so that > you'd only take the performance hit where necessary, but I'm not aware of > any NSS LDAP client that does this. > The reason might be that the OpenLDAP libraries do not let you specify the deref option in the exported ldap_search routines. It is only an option for the whole connection. bye, Sumit > > > Thanks. > > > > bye, > > Sumit > > > > > > > > > > > > > Moving on... > > > > > > > > We will need to dereference LDAP aliases but I have not yet been able > > to > > > > find a setting to enable this. I also have not found the equivalent of > > the > > > > > > I have added a RFE to sssd trac > > > (https://fedorahosted.org/sssd/ticket/568). As a sort term fix you can > > > add the appropriate DEREF option to /etc/openldap/ldap.conf. > > > > > > > pam_password_prohibit_message setting in /etc/ldap.conf; while not > > strictly > > > > required, it is nice to refer users to the proper way to change > > passwords in > > > > our environment. > > > > > > Currently there is only a configurable message if password resets by > > > root fail. I have added https://fedorahosted.org/sssd/ticket/569 to > > > track this. > > > > > > bye, > > > Sumit > > > > > > > > > > > Any help would be appreciated. Thanks! > > > > > > > > Scott Duckworth, Systems Programmer II > > > > Clemson University School of Computing > > > > > > > _______________________________________________ > > > > Freeipa-users mailing list > > > > [email protected] > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > _______________________________________________ > > > Freeipa-users mailing list > > > [email protected] > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > > Freeipa-users mailing list > > [email protected] > > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
