On Fri, 03 Apr 2015, Bobby Prins wrote:
----- Oorspronkelijk bericht -----
Van: "Alexander Bokovoy" <aboko...@redhat.com>
Aan: "Bobby Prins" <bobby.pr...@proxy.nl>
Cc: d...@redhat.com, freeipa-users@redhat.com
Verzonden: Vrijdag 3 april 2015 12:45:07
Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in 
ipa_server_mode

On Fri, 03 Apr 2015, Bobby Prins wrote:
On Mar 24, 2015, at 17:11, Dmitri Pal <d...@redhat.com> wrote:

Seems like 15 sec timeout on the AIX side.
Can you try with a user that does not have that many groups and see if that 
works?
If it does then we should assume it is an AIX side timeout and focus on making 
sure the data gets over to IPA within this timeout.
I need to do some more testing.. Did not have a lot of time today, but I tried 
to authenticate with an AD user against the compact tree using a Linux client 
with pam_ldap. I was able to log in but this would take up to a minute or so. 
I’m still waiting for my AD test account with lesser group memberships.

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

So I finally found some time to do extra tests. I now have an AD
account with lesser group memberships which seems to speed up the login
process (with Linux LDAP auth against the compat tree), but still no
success on AIX. Did some more digging and it looks like AIX invalidates
the user before it even is authenticated. The output below shows the
lookup that is performed after I enter the username en press enter
(before entering the password).

access:
[03/Apr/2015:11:58:47 +0200] conn=5950 fd=68 slot=68 connection from 
192.168.140.107 to 192.168.140.133
[03/Apr/2015:11:58:47 +0200] conn=5950 op=0 BIND dn="" method=128 version=3
[03/Apr/2015:11:58:47 +0200] conn=5950 op=0 RESULT err=0 tag=97 nentries=0 etime=0 
dn=""
[03/Apr/2015:11:59:04 +0200] conn=5950 op=1 SRCH 
base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 
filter="(&(objectClass=posixaccount)(uid=bpr...@example.corp))" attrs=ALL
[03/Apr/2015:11:59:04 +0200] conn=5950 op=1 RESULT err=0 tag=101 nentries=1 
etime=0
[03/Apr/2015:11:59:04 +0200] conn=5950 op=2 SRCH 
base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 
filter="(&(objectClass=posixaccount)(uid=bprins))" attrs=ALL
[03/Apr/2015:11:59:04 +0200] conn=5950 op=2 RESULT err=0 tag=101 nentries=0 
etime=0
Above there are two lookups:

- successful lookup for user bpri...@example.com
- unsuccessful lookup for user bprins

What is causing to perform a lookup without @example.com? Compat tree
presents AD users fully qualified, it is the only way it knows to
trigger lookup via SSSD on IPA master for these users (because non-fully
qualified users are in IPA LDAP tree already and copied to compat tree
automatically).
This seems to be (standard?) behaviour of the AIX LDAP client. Did some
more tests with different accounts and always see the two lookups. I
doubt if I can influence that..
No, this is not standard -- I haven't seen such behavior when testing
FreeIPA with AIX last autumn.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to