Alex/Group ---
I’ve implemented the ipa-advise script and authentication worked as expected on 
the legacy 5.5 client.  Although, I continue to get closer, another bump in the 
road here.  Anyone experienced this error and could provide some areas to 
review to correct it?  Please advise – Thanks for the continual help here !!

$ passwd
Changing password for user pmoss.
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
LDAP password information update failed: Constraint violation
Pre-Encoded passwords are not valid

passwd: Permission denied

[] On Behalf Of Jeffrey Stormshak
Sent: Tuesday, November 24, 2015 4:40 PM
To: Alexander Bokovoy
Subject: Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question

Alex -
Thank you for the details!!

For right now, I’m using the IPA Server as a standalone Linux domain 
controller/server without any AD integration.  This allows testing to prove 
that this could work with a large number of 5.5 clients in the enterprise to 

On the question being proposed …
You haven't answered earlier when people asked whether you are using
cn=compat tree because you need to get information about Active
Directory users or not.

Yes.  I’m trying to achieve full integration with AD but I’m only at the point 
where I started testing this in a standalone Linux mode.  I was trying to see 
if these legacy 5.5 clients were even possible to configure and to work here as 

I’ll review the IPA tools for better understanding here.

Jeffrey Stormshak, RHCSA | Sr. Linux Engineer
Platform Systems | IT Operations Infrastructure
CCC Information Services, Inc.
Phone: (312) 229-2552

From: Alexander Bokovoy <<>>
Date: Tuesday, November 24, 2015 at 7:57 AM
To: Jeffrey Stormshak <<>>
Cc: Jakub Hrozek <<>>, Rob 
Crittenden <<>>, 
Subject: Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question

On Tue, 24 Nov 2015, Jeffrey Stormshak wrote:
I went to review the ‘ip_provider’ and that looks like a ‘sssd.conf’
setting.  The sssd RPM isn’t located on the 5.5 clients; nor is it in
the YUM Channels for 5.5 base and 5.5 patch.  So is the recommendation
here to find any 5.X version of sssd RPM and use that for this
configuration?  Sorry, being a newbie on this product realistically
isn’t helping here I’m sure …

The ipa-advise, is that part of the ipa-client RPM?  That too, doesn’t
exist on the 5.5 distribution as well.  Even the version required to
fix the openssl only worked with the 5.7 base version.  Am I complete
doomed for 5.5?  Cards are stacked for sure.  Nonetheless …
ipa-advise is a tool on IPA server that provides recipes how to
configure different clients for a typical scenarios involving trust to

Read the manual for the tool to get more information.

For legacy clients where there is no recent enough SSSD to support trust
to AD natively, ipa-advise recommends using schema compatibility plugin
to expose both IPA and AD users under same LDAP tree. This is what you
see in cn=users,cn=compat,dc=example,dc=com. If you see cn=compat in the
LDAP base DN, you know you are looking into the compatibility tree.

Compatibility tree is handled by a special plugin which combines data
from the primary IPA tree (cn=accounts,dc=example,dc=com) and from SSSD
on IPA server. It also exposes ou=SUDOers subtree to allow SUDO
application to work with sudo rules stored in IPA LDAP (they are not in
the same format as SUDO itself expects, thus _compatibility_ subtree).

I feel so close though…  Auth and Sudo works on 5.5 but something as
simple as users changing passwords seems so simple to provide?
Finally, password changes are not supported in cn=compat subtree. This
is simply not implemented by schema compatibility plugin.

You haven't answered earlier when people asked whether you are using
cn=compat tree because you need to get information about Active
Directory users or not. If you don't need integration with Active
Directory, change LDAP base DN in your configuration to
cn=accounts,dc=example,dc=com, to point your clients to the primary IPA
subtree where all users and groups are available. That subtree is the
main one and we do support password changes for DNs in it.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to