>----- Oorspronkelijk bericht ----- >Van: "Alexander Bokovoy" <aboko...@redhat.com> >Aan: "Bobby Prins" <bobby.pr...@proxy.nl> >Cc: d...@redhat.com, freeipa-users@redhat.com >Verzonden: Vrijdag 3 april 2015 14:26:17 >Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in >ipa_server_mode > >On Fri, 03 Apr 2015, Bobby Prins wrote: >>>----- Oorspronkelijk bericht ----- >>>Van: "Alexander Bokovoy" <aboko...@redhat.com> >>>Aan: "Bobby Prins" <bobby.pr...@proxy.nl> >>>Cc: d...@redhat.com, freeipa-users@redhat.com >>>Verzonden: Vrijdag 3 april 2015 12:45:07 >>>Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in >>>ipa_server_mode >>> >>>On Fri, 03 Apr 2015, Bobby Prins wrote: >>>>access: >>>>[03/Apr/2015:11:58:47 +0200] conn=5950 fd=68 slot=68 connection from >>>>192.168.140.107 to 192.168.140.133 >>>>[03/Apr/2015:11:58:47 +0200] conn=5950 op=0 BIND dn="" method=128 version=3 >>>>[03/Apr/2015:11:58:47 +0200] conn=5950 op=0 RESULT err=0 tag=97 nentries=0 >>>>etime=0 dn="" >>>>[03/Apr/2015:11:59:04 +0200] conn=5950 op=1 SRCH >>>>base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 >>>>filter="(&(objectClass=posixaccount)(uid=bpr...@example.corp))" attrs=ALL >>>>[03/Apr/2015:11:59:04 +0200] conn=5950 op=1 RESULT err=0 tag=101 nentries=1 >>>>etime=0 >>>>[03/Apr/2015:11:59:04 +0200] conn=5950 op=2 SRCH >>>>base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 >>>>filter="(&(objectClass=posixaccount)(uid=bprins))" attrs=ALL >>>>[03/Apr/2015:11:59:04 +0200] conn=5950 op=2 RESULT err=0 tag=101 nentries=0 >>>>etime=0 >>>Above there are two lookups: >>> >>>- successful lookup for user bpri...@example.com >>>- unsuccessful lookup for user bprins >>> >>>What is causing to perform a lookup without @example.com? Compat tree >>>presents AD users fully qualified, it is the only way it knows to >>>trigger lookup via SSSD on IPA master for these users (because non-fully >>>qualified users are in IPA LDAP tree already and copied to compat tree >>>automatically). >>This seems to be (standard?) behaviour of the AIX LDAP client. Did some >>more tests with different accounts and always see the two lookups. I >>doubt if I can influence that.. >No, this is not standard -- I haven't seen such behavior when testing >FreeIPA with AIX last autumn. >-- >/ Alexander Bokovoy OK, with the idsldap client software and an AD trust configured? This is on AIX7.1. I'm spinning up an AIX5.3 machine now for another test. Might try AIX6.1 as well. What works is creating the user object in freeIPA so the lookup succeeds. After that I can authenticate succesfully against AD. Not the solution I'm looking for though.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
