On Thu, 26 Mar 2015, David Beck wrote:

This for anyone using AIX clients with freeipa.  I have the client up
and running just fine (No KRB5, AIX Bug); however I cannot seem to get
If you mean inability to use GSSAPI authentication against LDAP, it is not
a bug in AIX. Rather, it is a bug in CyrusSASL which is fixed in
RHEL-6.6.z. We have plans to fix RHEL 7.x too but for your situation an
update is going to help.


the client to load the groups attributes properly.  The users primary
group shows up in the groups attribute from lsuser but not any
subsequent groups the user is a member of in IPA.  In the outputs
below, I do a lookup for IPA user 0016751and I would expect the groups=
attirbute to match those that are listed in the "Member of Groups" from

I experiemented with the groups attribute and mapping to the memberOf
ldap attribute in the IPAuser.map file but that hasn't changed the
outcome.  If anyone has any pointers or advice it would ge greatly
Use /var/log/dirsrv/slapd-ABC-COM/access to find out a connection
corresponding to AIX operations around your lookups and show all lines
with the same conn=<number> element.

Ideally, it would help to get a network trace between AIX and IPA LDAP
server. Given that you are not using SASL GSSAPI and SSL, it should be
easy to see what exactly is requested by AIX and returned by IPA LDAP.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to