On Fri, 03 Apr 2015, Bobby Prins wrote:
On Mar 24, 2015, at 17:11, Dmitri Pal <d...@redhat.com> wrote:

Seems like 15 sec timeout on the AIX side.
Can you try with a user that does not have that many groups and see if that 
If it does then we should assume it is an AIX side timeout and focus on making 
sure the data gets over to IPA within this timeout.
I need to do some more testing.. Did not have a lot of time today, but I tried 
to authenticate with an AD user against the compact tree using a Linux client 
with pam_ldap. I was able to log in but this would take up to a minute or so. 
I’m still waiting for my AD test account with lesser group memberships.

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

So I finally found some time to do extra tests. I now have an AD
account with lesser group memberships which seems to speed up the login
process (with Linux LDAP auth against the compat tree), but still no
success on AIX. Did some more digging and it looks like AIX invalidates
the user before it even is authenticated. The output below shows the
lookup that is performed after I enter the username en press enter
(before entering the password).

[03/Apr/2015:11:58:47 +0200] conn=5950 fd=68 slot=68 connection from to
[03/Apr/2015:11:58:47 +0200] conn=5950 op=0 BIND dn="" method=128 version=3
[03/Apr/2015:11:58:47 +0200] conn=5950 op=0 RESULT err=0 tag=97 nentries=0 etime=0 
[03/Apr/2015:11:59:04 +0200] conn=5950 op=1 SRCH 
base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 
filter="(&(objectClass=posixaccount)(uid=bpr...@example.corp))" attrs=ALL
[03/Apr/2015:11:59:04 +0200] conn=5950 op=1 RESULT err=0 tag=101 nentries=1 
[03/Apr/2015:11:59:04 +0200] conn=5950 op=2 SRCH 
base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 
filter="(&(objectClass=posixaccount)(uid=bprins))" attrs=ALL
[03/Apr/2015:11:59:04 +0200] conn=5950 op=2 RESULT err=0 tag=101 nentries=0 
Above there are two lookups:

- successful lookup for user bpri...@example.com
- unsuccessful lookup for user bprins

What is causing to perform a lookup without @example.com? Compat tree
presents AD users fully qualified, it is the only way it knows to
trigger lookup via SSSD on IPA master for these users (because non-fully
qualified users are in IPA LDAP tree already and copied to compat tree
/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to