On Thu, Apr 02, 2015 at 02:43:59PM +0000, Guertin, David S. wrote:
> >Ah so you are using it with trust. Then you should change the configuration 
> >to
> >not use kerberos but rather LDAP instead.
> >More details are here.
> >http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf
> 
> Thanks. When I ran ipa-adtrust-install on the servers, I hadn't used the 
> --enable-compat flag, so I re-ran "ipa-adtrust-install --enable-compat" on 
> all three IPA servers. I then cleared the sssd cache on the RHEL 5 client and 
> restarted sssd, but users still couldn't log in. Originally I had run 
> "ipa-advise config-redhat-sssd-before-1-9" on the server, so I tried 
> re-running that with "ipa-advise config-redhat-nss-ldap" instead, and ran the 
> resulting script on the client. Still no success -- I'm still getting the 
> same error.
> 
> The current sssd.conf file on the client is:
> 
> [sssd]
> services = nss, pam
> config_file_version = 2
> domains = default
> re_expression = (?P<name>.+)
> 
> [domain/default]
> cache_credentials = True
> id_provider = ldap
> auth_provider = ldap
> ldap_uri = ldap://genet.ipa.middlebury.edu
> ldap_search_base = cn=compat,dc=ipa,dc=middlebury,dc=edu
> ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt
> 
> David Guertin

Can you try searching the compat tree with ldapsearch to see if an entry
turns up? IIRC you need to search for a particular entry, not for any
(not ie cn=*), but if you crank up the debug_level in the domain
section, then sssd should log the searches to
/var/log/sssd/sssd_default.log

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to