On Wed, 12 Feb 2014, Tamas Papp wrote:
$ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w
ldap_bind: Referral (10)
[12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection from
::1 to ::1
[12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND
dn="uid=USER,cn=users,cn=compat,dc=foo" method=128 version=3
[12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97
[12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1
System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20).
Non-compat authentication works fine and authorization against compat is
What is err=10?
slapi-nis module in RHEL 6.x (and CentOS) does not support bind against
compat tree. We added this feature only in Fedora 20 (and RHEL 7 beta).
In older versions slapi-nis issues LDAP referral to the original LDAP
entry with the hope that an LDAP client would follow it and perform a
bind against the referral.
Unfortunately, there is virtually no client software that supports the
referral on bind operation.
In short, you cannot do LDAP bind against compat tree in RHEL before
/ Alexander Bokovoy
Freeipa-users mailing list