On 02/12/2014 09:30 AM, Tamas Papp wrote:
On 02/12/2014 03:04 PM, Petr Spacek wrote:
On 12.2.2014 15:01, Tamas Papp wrote:
On 02/12/2014 01:34 PM, Alexander Bokovoy wrote:
On Wed, 12 Feb 2014, Tamas Papp wrote:
On 02/12/2014 01:07 PM, Alexander Bokovoy wrote:
On Wed, 12 Feb 2014, Tamas Papp wrote:
hi All,

$ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h
localhost -w
`cat pw`
ldap_bind: Referral (10)
     referrals:
         ldap:///uid=USER,cn=users,cn=accounts,dc=foo




[12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection
from
::1 to ::1
[12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND
dn="uid=USER,cn=users,cn=compat,dc=foo" method=128 version=3
[12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97
nentries=0 etime=0
[12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1


System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20).
Non-compat authentication works fine and authorization against
compat is
also fine.


What is err=10?
slapi-nis module in RHEL 6.x (and CentOS) does not support bind
against
compat tree. We added this feature only in Fedora 20 (and RHEL 7
beta).

In older versions slapi-nis issues LDAP referral to the original LDAP
entry with the hope that an LDAP client would follow it and perform a
bind against the referral.

Unfortunately, there is virtually no client software that supports
the
referral on bind operation.

In short, you cannot do LDAP bind against compat tree in RHEL before
7.0.
I forgot to mention, the client would be Ubuntu 12.04 and it
works/worked with IPA 3.3 and F20.
It worked with IPA 3.3 because of what I wrote above -- I implemented
LDAP BIND authentication in slapi-nis in IPA 3.3 instead of issuing
LDAP
referral to the original entry's DN.

If I understand correctly, you're referring to the client side, are
you?
No.

Or it is true for the server side as well?
It is purely server-side issue. slapi-nis<  0.47.5 does not support
proper authentication against compat tree that LDAP clients understand.
Actually I'd like to authenticate shell users on Ubuntu.

For the records I figured out, that switching from nscd to nslcd did the
trick.
BTW why you don't use SSSD? It is packaged for Ubuntu for sure. NSCD
is ... obsolete. SSSD has some very nice features like off-line cache
etc.
I don't know it.
After a quick look I wasn't able to set it up correctly, 'id USER'
didn't connected to it's socket like with nscd/nlscd, however
nsswitch.conf was configured.
Maybe with the upcoming 14.04 or do you have a working howto for 12.04?

Please check SSSD web site for guidelines and if you have any questions do not hesitate to ask on the sssd-users list. SSSD is the best you can get nowadays for the connection of the client systems to the central identity stores.
If you plan to use it with IPA you ho not need to configure sssd manually.
ipa-client-install will do the trick. Just install ipa-client package and run the command.



Thx,
tamas

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to