On 10/17/2012 12:49 PM, Macklin, Jason wrote:
ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D "cn=directory manager" -W -b 
"dc=dbr,dc=roche,dc=com" uid=asteinfeld \*
<snip>


dn: uid=asteinfeld,cn=users,cn=accounts,dc=dbr,dc=roche,dc=com
...snip...
krbPrincipalName: asteinf...@dbr.roche.com
krbPasswordExpiration: 20130324201805Z
krbLastPwdChange: 20120925201805Z
krbLoginFailedCount: 0
krbLastSuccessfulAuth: 20121017184614Z
krbTicketFlags: 128
krbLastFailedAuth: 20121015143818Z

No krbPwdLockoutDuration attribute - so according to ipalockout_preop() this means the "Entry permanently locked". Not sure why.

[jmacklin@dbduwdu062 Desktop]$ ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D 
"cn=directory manager" -W -b "dc=dbr,dc=roche,dc=com" uid=jmacklin \*Enter LDAP 
Password:
dn: uid=jmacklin,cn=users,cn=compat,dc=dbr,dc=roche,dc=com
objectClass: posixAccount
objectClass: top
gecos: Jason Macklin
cn: Jason Macklin
uidNumber: 2084
gidNumber: 2084
loginShell: /bin/bash
homeDirectory: /home2/jmacklin
uid: jmacklin

dn: uid=jmacklin,cn=users,cn=accounts,dc=dbr,dc=roche,dc=com
displayName: Jason Macklin
cn: Jason Macklin
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: mepOriginEntry
loginShell: /bin/bash
sn: Macklin
gecos: Jason Macklin
homeDirectory: /home2/jmacklin
krbPwdPolicyReference: cn=global_policy,cn=DBR.ROCHE.COM,cn=kerberos,dc=dbr,dc
  =roche,dc=com
krbPrincipalName: jmack...@dbr.roche.com
givenName: Jason
uid: jmacklin
initials: JM
uidNumber: 2084
gidNumber: 2084
ipaUniqueID: 045652b4-8e3c-11e1-831f-005056bb0010
mepManagedEntry: cn=jmacklin,cn=groups,cn=accounts,dc=dbr,dc=roche,dc=com
memberOf: cn=admins,cn=groups,cn=accounts,dc=dbr,dc=roche,dc=com
memberOf: cn=Replication Administrators,cn=privileges,cn=pbac,dc=dbr,dc=roche,
  dc=com
memberOf: cn=Add Replication Agreements,cn=permissions,cn=pbac,dc=dbr,dc=roche
  ,dc=com
memberOf: cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=dbr,dc=ro
  che,dc=com
memberOf: cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=dbr,dc=ro
  che,dc=com
memberOf: cn=Host Enrollment,cn=privileges,cn=pbac,dc=dbr,dc=roche,dc=com
memberOf: cn=Manage host keytab,cn=permissions,cn=pbac,dc=dbr,dc=roche,dc=com
memberOf: cn=Enroll a host,cn=permissions,cn=pbac,dc=dbr,dc=roche,dc=com
memberOf: cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dbr,dc=r
  oche,dc=com
memberOf: cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dbr,dc=roche,dc=co
  m
memberOf: cn=Manage service keytab,cn=permissions,cn=pbac,dc=dbr,dc=roche,dc=c
  om
memberOf: cn=dbr,cn=groups,cn=accounts,dc=dbr,dc=roche,dc=com
memberOf: ipaUniqueID=23216c12-9934-11e1-bd4c-005056bb0010,cn=sudorules,cn=sud
  o,dc=dbr,dc=roche,dc=com
krbLastFailedAuth: 20121017164159Z
krbPrincipalKey:: MIIC4qADAgEBoQMCAQGiAwIBBaMDAgEBpIICyjCCAsYwbaAgMB6gAwIBAKEX
  BBVEQlIuUk9DSEUuQ09Nam1hY2tsaW6hSTBHoAMCARKhQAQ+IACOG0H0Ebd8nSSY6zU3Y29ZHtQ9a
  sC2QJFL/lnbaFO1DYG15WjJYXnJ7k3m0LN0aTyjvz7FN4OWMF4tvvowXaAgMB6gAwIBAKEXBBVEQl
  IuUk9DSEUuQ09Nam1hY2tsaW6hOTA3oAMCARGhMAQuEAD6UdNSe/mp8qqi4OuT7HOqIs80DFQDRny
  37aZaD4lYrFsnQiBtpnpMnNSxADBloCAwHqADAgEAoRcEFURCUi5ST0NIRS5DT01qbWFja2xpbqFB
  MD+gAwIBEKE4BDYYADAQZLDW61U+4aEZT4b+/X/OpiQLHTQlyIUolm9EjVG4wXu+8Mn4lMYMZyR/F
  Gw6NWeeq1kwXaAgMB6gAwIBAKEXBBVEQlIuUk9DSEUuQ09Nam1hY2tsaW6hOTA3oAMCARehMAQuEA
  CiWDGd28XkiaDAwpGyK0MqSawLCXs+jKOFAA5BoSpayVTJJqjzAwSEitSu5zBVoCAwHqADAgEAoRc
  EFURCUi5ST0NIRS5DT01qbWFja2xpbqExMC+gAwIBCKEoBCYIAKL5bzV4nQide/+6/2FE5LxYGULv
  8Ws/Uu0RXrwAnR8/ZuUh0TBVoCAwHqADAgEAoRcEFURCUi5ST0NIRS5DT01qbWFja2xpbqExMC+gA
  wIBA6EoBCYIANgV0agxRmfBwY2Cb7gPlm1oWDY5qhZidd8a0KmeIlBG56XLZjAzoTEwL6ADAgEBoS
  gEJggAo/BQC7g4SWQY0UkU7rvoOAXwobVlAZn8mesgQEznRDr2+bxjME2gGDAWoAMCAQWhDwQNREJ
  SLlJPQ0hFLkNPTaExMC+gAwIBAaEoBCYIAMDDcwjYU6jLJTnE+Lzs0Ulxgf4FDEnTRXTjfJBqXIJb
  R5aBPg==
krbLastPwdChange: 20120809140419Z
krbPasswordExpiration: 20130205140419Z
userPassword:: e1NTSEF9a0NXcUxTc1JOQ2tEUVlLVVF4VTdJLzh1TXREVnBWZjlnMWRxa0E9PQ=
  =
krbExtraData:: AAJjwyNQa2FkbWluZEBEQlIuUk9DSEUuQ09NAA==
krbLastSuccessfulAuth: 20121017184444Z
krbLoginFailedCount: 0
krbTicketFlags: 128

So with all of that output, I would like to mention the discrepancy with ldap.conf.  Just 
trying to get any "sudo" working on RHEL 6.3 was problematic until I stumbled 
upon a post that mentioned creating/editing /etc/sudo-ldap.conf rather then 
/etc/ldap.conf or /etc/openldap/ldap.conf.  If I remove the /etc/sudo-ldap.conf then I 
have no sudo capabilities at all.

-----Original Message-----
From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: Wednesday, October 17, 2012 2:06 PM
To: Macklin, Jason {DASB~Branford}
Cc: rcrit...@redhat.com; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Sudo works for full access, but not on a per 
command or host level.

On 10/17/2012 11:51 AM, Macklin, Jason wrote:
I assume that this iteration was with the correct credentials as it responds with 
something other then "Invalid Credentials"

ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D "cn=directory manager" 
-W uid=asteinfeld \* krbPwdLockoutDuration ?
Enter LDAP Password:
No such object (32)

Working account returns same thing...

ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D "cn=directory manager" 
-W uid=jmacklin \* krbPwdLockoutDuration ?
Enter LDAP Password:
No such object (32)
Sorry, I though ipa would have configured your /etc/openldap/ldap.conf with 
your base dn.  Try this:

ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D "cn=directory manager" -W -b 
"dc=dbr,dc=roche,dc=com" uid=jmacklin \*
-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Wednesday, October 17, 2012 1:37 PM
To: Macklin, Jason {DASB~Branford}
Cc: rmegg...@redhat.com; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Sudo works for full access, but not on a per 
command or host level.

Macklin, Jason wrote:
ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D "cn=directory manager" 
-W uid=asteinfeld \* krbPwdLockoutDuration ?
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

I know this user password because I reset it for the purpose of troubleshooting 
this issue with that account. I also get the same response when I use the admin 
account of my own account.
You use the password of the user you are binding as, in this case the directory 
manager.

rob

-----Original Message-----
From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: Wednesday, October 17, 2012 1:15 PM
To: Macklin, Jason {DASB~Branford}
Cc: s...@redhat.com; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Sudo works for full access, but not on a per 
command or host level.

On 10/17/2012 11:13 AM, Macklin, Jason wrote:
None of my users have an LDAP password being requested by running that command 
(except the admin user).

Does each user account require an ldap account to go along with their login 
account?  I just get the following over and over no matter which account I 
switch in the command...

[jmacklin@dbduwdu062 Desktop]$ ldapsearch -xLLL -D "cn=directory manager" -W 
uid=admin \* krbPwdLockoutDuration ?
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
[jmacklin@dbduwdu062 Desktop]$ ldapsearch -xLLL -D "cn=directory manager" -W 
uid=asteinfeld \* krbPwdLockoutDuration ?
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
[jmacklin@dbduwdu062 Desktop]$ ldapsearch -xLLL -D "cn=directory manager" -W 
uid=jmacklin \* krbPwdLockoutDuration ?
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
You have to specify which server to talk to using the -H ldap://fqdn.of.host 
option.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to