On 02/12/2014 01:34 PM, Alexander Bokovoy wrote: > On Wed, 12 Feb 2014, Tamas Papp wrote: >> >> On 02/12/2014 01:07 PM, Alexander Bokovoy wrote: >>> On Wed, 12 Feb 2014, Tamas Papp wrote: >>>> hi All, >>>> >>>> $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w >>>> `cat pw` >>>> ldap_bind: Referral (10) >>>> referrals: >>>> ldap:///uid=USER,cn=users,cn=accounts,dc=foo >>>> >>>> >>>> >>>> >>>> [12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection from >>>> ::1 to ::1 >>>> [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND >>>> dn="uid=USER,cn=users,cn=compat,dc=foo" method=128 version=3 >>>> [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97 >>>> nentries=0 etime=0 >>>> [12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1 >>>> >>>> >>>> System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20). >>>> Non-compat authentication works fine and authorization against >>>> compat is >>>> also fine. >>>> >>>> >>>> What is err=10? >>> slapi-nis module in RHEL 6.x (and CentOS) does not support bind against >>> compat tree. We added this feature only in Fedora 20 (and RHEL 7 beta). >>> >>> In older versions slapi-nis issues LDAP referral to the original LDAP >>> entry with the hope that an LDAP client would follow it and perform a >>> bind against the referral. >>> >>> Unfortunately, there is virtually no client software that supports the >>> referral on bind operation. >>> >>> In short, you cannot do LDAP bind against compat tree in RHEL before >>> 7.0. >> >> I forgot to mention, the client would be Ubuntu 12.04 and it >> works/worked with IPA 3.3 and F20. > It worked with IPA 3.3 because of what I wrote above -- I implemented > LDAP BIND authentication in slapi-nis in IPA 3.3 instead of issuing LDAP > referral to the original entry's DN. > >> If I understand correctly, you're referring to the client side, are you? > No. > >> Or it is true for the server side as well? > It is purely server-side issue. slapi-nis < 0.47.5 does not support > proper authentication against compat tree that LDAP clients understand.
OK, that's clear now. Sorry I wasn't aware of slapi-nis behaviour:) Thanks, tamas _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users