>----- Oorspronkelijk bericht -----
>Van: "Alexander Bokovoy" <aboko...@redhat.com>
>Aan: "Bobby Prins" <bobby.pr...@proxy.nl>
>Cc: d...@redhat.com, freeipa-users@redhat.com
>Verzonden: Vrijdag 3 april 2015 12:45:07
>Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in 
>On Fri, 03 Apr 2015, Bobby Prins wrote:
>>>> On Mar 24, 2015, at 17:11, Dmitri Pal <d...@redhat.com> wrote:
>>>> Seems like 15 sec timeout on the AIX side.
>>>> Can you try with a user that does not have that many groups and see if 
>>>> that works?
>>>> If it does then we should assume it is an AIX side timeout and focus on 
>>>> making sure the data gets over to IPA within this timeout.
>>>I need to do some more testing.. Did not have a lot of time today, but I 
>>>tried to authenticate with an AD user against the compact tree using a Linux 
>>>client with pam_ldap. I was able to log in but this would take up to a 
>>>minute or so. I’m still waiting for my AD test account with lesser group 
>>>> --
>>>> Thank you,
>>>> Dmitri Pal
>>>> Sr. Engineering Manager IdM portfolio
>>>> Red Hat, Inc.
>>So I finally found some time to do extra tests. I now have an AD
>>account with lesser group memberships which seems to speed up the login
>>process (with Linux LDAP auth against the compat tree), but still no
>>success on AIX. Did some more digging and it looks like AIX invalidates
>>the user before it even is authenticated. The output below shows the
>>lookup that is performed after I enter the username en press enter
>>(before entering the password).
>>[03/Apr/2015:11:58:47 +0200] conn=5950 fd=68 slot=68 connection from 
>> to
>>[03/Apr/2015:11:58:47 +0200] conn=5950 op=0 BIND dn="" method=128 version=3
>>[03/Apr/2015:11:58:47 +0200] conn=5950 op=0 RESULT err=0 tag=97 nentries=0 
>>etime=0 dn=""
>>[03/Apr/2015:11:59:04 +0200] conn=5950 op=1 SRCH 
>>base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 
>>filter="(&(objectClass=posixaccount)(uid=bpr...@example.corp))" attrs=ALL
>>[03/Apr/2015:11:59:04 +0200] conn=5950 op=1 RESULT err=0 tag=101 nentries=1 
>>[03/Apr/2015:11:59:04 +0200] conn=5950 op=2 SRCH 
>>base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 
>>filter="(&(objectClass=posixaccount)(uid=bprins))" attrs=ALL
>>[03/Apr/2015:11:59:04 +0200] conn=5950 op=2 RESULT err=0 tag=101 nentries=0 
>Above there are two lookups:
>- successful lookup for user bpri...@example.com
>- unsuccessful lookup for user bprins
>What is causing to perform a lookup without @example.com? Compat tree
>presents AD users fully qualified, it is the only way it knows to
>trigger lookup via SSSD on IPA master for these users (because non-fully
>qualified users are in IPA LDAP tree already and copied to compat tree
>/ Alexander Bokovoy
This seems to be (standard?) behaviour of the AIX LDAP client. Did some more 
tests with different accounts and always see the two lookups. I doubt if I can 
influence that..

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to