Here are the results for that aci search using a non gssapi bind by directory 
manager on the old master that we are attempting to join agains.  I don't see 
anything in this list that would indicate that some users should or should not 
have access through a certain method.  Unless one of those sasl config settings 
is doing it ?

[root@dc2-ipa-dev-nvan ~]# ldapsearch -D "cn=directory manager" -W -b 
"cn=config" "(aci=*)"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (aci=*)
# requesting: ALL
#

# config
dn: cn=config
cn: config
objectClass: top
objectClass: extensibleObject
objectClass: nsslapdConfig
nsslapd-backendconfig: cn=config,cn=userRoot,cn=ldbm database,cn=plugins,cn=co
 nfig
nsslapd-backendconfig: cn=config,cn=ipaca,cn=ldbm database,cn=plugins,cn=confi
 g
nsslapd-backendconfig: cn=config,cn=changelog,cn=ldbm database,cn=plugins,cn=c
 onfig
nsslapd-betype: ldbm database
nsslapd-privatenamespaces: cn=schema
nsslapd-privatenamespaces:
nsslapd-privatenamespaces: cn=monitor
nsslapd-privatenamespaces: cn=config
nsslapd-plugin: cn=binary syntax,cn=plugins,cn=config
nsslapd-plugin: cn=bit string syntax,cn=plugins,cn=config
nsslapd-plugin: cn=boolean syntax,cn=plugins,cn=config
nsslapd-plugin: cn=case exact string syntax,cn=plugins,cn=config
nsslapd-plugin: cn=case ignore string syntax,cn=plugins,cn=config
nsslapd-plugin: cn=country string syntax,cn=plugins,cn=config
nsslapd-plugin: cn=delivery method syntax,cn=plugins,cn=config
nsslapd-plugin: cn=distinguished name syntax,cn=plugins,cn=config
nsslapd-plugin: cn=enhanced guide syntax,cn=plugins,cn=config
nsslapd-plugin: cn=facsimile telephone number syntax,cn=plugins,cn=config
nsslapd-plugin: cn=fax syntax,cn=plugins,cn=config
nsslapd-plugin: cn=generalized time syntax,cn=plugins,cn=config
nsslapd-plugin: cn=guide syntax,cn=plugins,cn=config
nsslapd-plugin: cn=integer syntax,cn=plugins,cn=config
nsslapd-plugin: cn=jpeg syntax,cn=plugins,cn=config
nsslapd-plugin: cn=name and optional uid syntax,cn=plugins,cn=config
nsslapd-plugin: cn=numeric string syntax,cn=plugins,cn=config
nsslapd-plugin: cn=octet string syntax,cn=plugins,cn=config
nsslapd-plugin: cn=oid syntax,cn=plugins,cn=config
nsslapd-plugin: cn=postal address syntax,cn=plugins,cn=config
nsslapd-plugin: cn=printable string syntax,cn=plugins,cn=config
nsslapd-plugin: cn=telephone syntax,cn=plugins,cn=config
nsslapd-plugin: cn=teletex terminal identifier syntax,cn=plugins,cn=config
nsslapd-plugin: cn=telex number syntax,cn=plugins,cn=config
nsslapd-plugin: cn=octetstringmatch,cn=plugins,cn=config
nsslapd-plugin: cn=octetstringorderingmatch,cn=plugins,cn=config
nsslapd-plugin: cn=bitstringmatch,cn=plugins,cn=config
nsslapd-plugin: cn=bitwise plugin,cn=plugins,cn=config
nsslapd-plugin: cn=caseexactia5match,cn=plugins,cn=config
nsslapd-plugin: cn=caseexactmatch,cn=plugins,cn=config
nsslapd-plugin: cn=caseexactorderingmatch,cn=plugins,cn=config
nsslapd-plugin: cn=caseexactsubstringsmatch,cn=plugins,cn=config
nsslapd-plugin: cn=caseexactia5substringsmatch,cn=plugins,cn=config
nsslapd-plugin: cn=generalizedtimematch,cn=plugins,cn=config
nsslapd-plugin: cn=generalizedtimeorderingmatch,cn=plugins,cn=config
nsslapd-plugin: cn=booleanmatch,cn=plugins,cn=config
nsslapd-plugin: cn=caseignoreia5match,cn=plugins,cn=config
nsslapd-plugin: cn=caseignoreia5substringsmatch,cn=plugins,cn=config
nsslapd-plugin: cn=caseignorematch,cn=plugins,cn=config
nsslapd-plugin: cn=caseignoreorderingmatch,cn=plugins,cn=config
nsslapd-plugin: cn=caseignoresubstringsmatch,cn=plugins,cn=config
nsslapd-plugin: cn=caseignorelistmatch,cn=plugins,cn=config
nsslapd-plugin: cn=caseignorelistsubstringsmatch,cn=plugins,cn=config
nsslapd-plugin: cn=objectidentifiermatch,cn=plugins,cn=config
nsslapd-plugin: cn=directorystringfirstcomponentmatch,cn=plugins,cn=config
nsslapd-plugin: cn=objectidentifierfirstcomponentmatch,cn=plugins,cn=config
nsslapd-plugin: cn=distinguishednamematch,cn=plugins,cn=config
nsslapd-plugin: cn=integermatch,cn=plugins,cn=config
nsslapd-plugin: cn=integerorderingmatch,cn=plugins,cn=config
nsslapd-plugin: cn=integerfirstcomponentmatch,cn=plugins,cn=config
nsslapd-plugin: cn=internationalization plugin,cn=plugins,cn=config
nsslapd-plugin: cn=uniquemembermatch,cn=plugins,cn=config
nsslapd-plugin: cn=numericstringmatch,cn=plugins,cn=config
nsslapd-plugin: cn=numericstringorderingmatch,cn=plugins,cn=config
nsslapd-plugin: cn=numericstringsubstringsmatch,cn=plugins,cn=config
nsslapd-plugin: cn=telephonenumbermatch,cn=plugins,cn=config
nsslapd-plugin: cn=telephonenumbersubstringsmatch,cn=plugins,cn=config
nsslapd-requiresrestart: cn=config:nsslapd-port
nsslapd-requiresrestart: cn=config:nsslapd-secureport
nsslapd-requiresrestart: cn=config:nsslapd-ldapifilepath
nsslapd-requiresrestart: cn=config:nsslapd-ldapilisten
nsslapd-requiresrestart: cn=config:nsslapd-workingdir
nsslapd-requiresrestart: cn=config:nsslapd-plugin
nsslapd-requiresrestart: cn=config:nsslapd-sslclientauth
nsslapd-requiresrestart: cn=config:nsslapd-changelogdir
nsslapd-requiresrestart: cn=config:nsslapd-changelogsuffix
nsslapd-requiresrestart: cn=config:nsslapd-changelogmaxentries
nsslapd-requiresrestart: cn=config:nsslapd-changelogmaxage
nsslapd-requiresrestart: cn=config:nsslapd-db-locks
nsslapd-requiresrestart: cn=config:nsslapd-maxdescriptors
nsslapd-requiresrestart: cn=config:nsslapd-return-exact-case
nsslapd-requiresrestart: cn=config:nsslapd-schema-ignore-trailing-spaces
nsslapd-requiresrestart: cn=config,cn=ldbm:nsslapd-idlistscanlimit
nsslapd-requiresrestart: cn=config,cn=ldbm:nsslapd-parentcheck
nsslapd-requiresrestart: cn=config,cn=ldbm:nsslapd-dbcachesize
nsslapd-requiresrestart: cn=config,cn=ldbm:nsslapd-dbncache
nsslapd-requiresrestart: cn=config,cn=ldbm:nsslapd-cachesize
nsslapd-requiresrestart: cn=config,cn=ldbm:nsslapd-plugin
nsslapd-requiresrestart: cn=encryption,cn=config:nssslsessiontimeout
nsslapd-requiresrestart: cn=encryption,cn=config:nssslclientauth
nsslapd-requiresrestart: cn=encryption,cn=config:nsssl2
nsslapd-requiresrestart: cn=encryption,cn=config:nsssl3
nsslapd-auditlog-mode: 600
nsslapd-auditlog-logrotationsync-enabled: off
nsslapd-auditlog-logrotationsynchour: 0
nsslapd-auditlog-logrotationsyncmin: 0
nsslapd-auditlog-logrotationtime: 1
nsslapd-accesslog-mode: 600
nsslapd-accesslog-maxlogsperdir: 10
nsslapd-errorlog-level: 16384
nsslapd-errorlog-logging-enabled: on
nsslapd-errorlog-mode: 600
nsslapd-errorlog-logexpirationtime: 1
nsslapd-accesslog-logging-enabled: on
nsslapd-port: 389
nsslapd-workingdir: /var/log/dirsrv/slapd-DEV-mydomain-NET
nsslapd-maxthreadsperconn: 5
nsslapd-accesslog-logexpirationtime: 1
nsslapd-localuser: dirsrv
nsslapd-errorlog-logrotationsync-enabled: off
nsslapd-errorlog-logrotationsynchour: 0
nsslapd-errorlog-logrotationsyncmin: 0
nsslapd-errorlog-logrotationtime: 1
passwordInHistory: 6
passwordUnlock: on
passwordGraceLimit: 0
nsslapd-accesslog-logrotationsync-enabled: off
nsslapd-accesslog-logrotationsynchour: 0
nsslapd-accesslog-logrotationsyncmin: 0
nsslapd-accesslog-logrotationtime: 1
passwordMustChange: off
nsslapd-pwpolicy-local: off
nsslapd-auditlog-logmaxdiskspace: 100
nsslapd-sizelimit: 2000
nsslapd-auditlog-maxlogsize: 100
passwordWarning: 86400
nsslapd-readonly: off
nsslapd-sasl-mapping-fallback: on
nsslapd-threadnumber: 30
passwordLockout: off
nsslapd-enquote-sup-oc: off
nsslapd-localhost: dc2-ipa-dev-nvan.dev-mydomain.net
nsslapd-ioblocktimeout: 1800000
nsslapd-max-filter-nest-level: 40
nsslapd-errorlog-logmaxdiskspace: 100
passwordMinLength: 8
passwordMinDigits: 0
passwordMinAlphas: 0
passwordMinUppers: 0
passwordMinLowers: 0
passwordMinSpecials: 0
passwordMin8bit: 0
passwordMaxRepeats: 0
passwordMinCategories: 3
passwordMinTokenLength: 3
nsslapd-errorlog: /var/log/dirsrv/slapd-DEV-mydomain-NET/errors
nsslapd-auditlog-logexpirationtime: 1
nsslapd-schemacheck: on
nsslapd-schemamod: on
nsslapd-syntaxcheck: on
nsslapd-syntaxlogging: off
nsslapd-dn-validate-strict: off
nsslapd-ds4-compatible-schema: off
nsslapd-schema-ignore-trailing-spaces: off
nsslapd-schemareplace: replication-only
nsslapd-accesslog-logmaxdiskspace: 500
passwordMaxFailure: 3
nsslapd-accesslog: /var/log/dirsrv/slapd-DEV-mydomain-NET/access
nsslapd-lastmod: on
nsslapd-security: on
passwordMaxAge: 8640000
nsslapd-auditlog-logrotationtimeunit: day
passwordResetFailureCount: 600
passwordIsGlobalPolicy: off
passwordLegacyPolicy: on
passwordTrackUpdateTime: off
nsslapd-auditlog-maxlogsperdir: 1
nsslapd-errorlog-logexpirationtimeunit: month
nsslapd-groupevalnestlevel: 0
nsslapd-accesslog-logexpirationtimeunit: month
nsslapd-rootpw: {SSHA}dVkYQwrJNWRuX/ErfQCCtcEE1pOjkpm8sIUgDw==
passwordChange: on
nsslapd-accesslog-level: 256
nsslapd-errorlog-logrotationtimeunit: week
nsslapd-securePort: 636
nsslapd-certmap-basedn:
nsslapd-timelimit: 3600
nsslapd-errorlog-maxlogsize: 100
nsslapd-reservedescriptors: 64
nsslapd-svrtab:
passwordExp: off
nsslapd-accesscontrol: on
nsslapd-accesslog-logrotationtimeunit: day
passwordLockoutDuration: 3600
nsslapd-accesslog-maxlogsize: 100
nsslapd-idletimeout: 0
nsslapd-nagle: on
nsslapd-errorlog-logminfreediskspace: 5
nsslapd-auditlog-logging-enabled: off
nsslapd-auditlog-logging-hide-unhashed-pw: on
nsslapd-accesslog-logbuffering: on
nsslapd-csnlogging: on
nsslapd-auditlog-logexpirationtimeunit: month
nsslapd-allow-hashed-passwords: on
passwordCheckSyntax: off
nsslapd-listenhost:
nsslapd-snmp-index: 0
nsslapd-ldapifilepath: /var/run/slapd-DEV-mydomain-NET.socket
nsslapd-ldapilisten: on
nsslapd-ldapiautobind: on
nsslapd-ldapimaprootdn: cn=Directory Manager
nsslapd-ldapimaptoentries: on
nsslapd-ldapiuidnumbertype: uidNumber
nsslapd-ldapigidnumbertype: gidNumber
nsslapd-ldapientrysearchbase: dc=example,dc=com
nsslapd-anonlimitsdn: cn=anonymous-limits,cn=etc,dc=dev-mydomain,dc=net
nsslapd-counters: on
nsslapd-accesslog-logminfreediskspace: 5
nsslapd-errorlog-maxlogsperdir: 2
nsslapd-securelistenhost:
nsslapd-auditlog-logminfreediskspace: 5
nsslapd-rootdn: cn=Directory Manager
passwordMinAge: 0
nsslapd-auditlog: /var/log/dirsrv/slapd-DEV-mydomain-NET/audit
nsslapd-return-exact-case: on
nsslapd-result-tweak: off
nsslapd-plugin-binddn-tracking: off
nsslapd-moddn-aci: on
nsslapd-attribute-name-exceptions: off
nsslapd-maxbersize: 209715200
nsslapd-maxsasliosize: 2097152
nsslapd-versionstring: 389-Directory/1.3.4.5
nsslapd-referralmode:
nsslapd-maxdescriptors: 8192
nsslapd-conntablesize: 8192
nsslapd-SSLclientAuth: allowed
nsslapd-config: cn=config
nsslapd-instancedir: /var/lib/dirsrv/scripts-DEV-mydomain-NET
nsslapd-schemadir: /etc/dirsrv/slapd-DEV-mydomain-NET/schema
nsslapd-lockdir: /var/lock/dirsrv/slapd-DEV-mydomain-NET
nsslapd-tmpdir: /tmp
nsslapd-certdir: /etc/dirsrv/slapd-DEV-mydomain-NET
nsslapd-ldifdir: /var/lib/dirsrv/slapd-DEV-mydomain-NET/ldif
nsslapd-bakdir: /var/lib/dirsrv/slapd-DEV-mydomain-NET/bak
nsslapd-saslpath:
nsslapd-rundir: /var/run/dirsrv
nsslapd-rewrite-rfc1274: off
nsslapd-outbound-ldap-io-timeout: 300000
nsslapd-allow-unauthenticated-binds: off
nsslapd-require-secure-binds: off
nsslapd-allow-anonymous-access: on
nsslapd-localssf: 71
nsslapd-minssf: 0
nsslapd-minssf-exclude-rootdse: on
nsslapd-force-sasl-external: off
nsslapd-entryusn-global: on
nsslapd-entryusn-import-initval: next
nsslapd-allowed-to-delete-attrs: passwordadmindn nsslapd-listenhost nsslapd-se
 curelistenhost nsslapd-defaultnamingcontext
nsslapd-validate-cert: warn
nsslapd-pagedsizelimit: 0
nsslapd-defaultnamingcontext: dc=dev-mydomain,dc=net
nsslapd-disk-monitoring: off
nsslapd-disk-monitoring-threshold: 2097152
nsslapd-disk-monitoring-grace-period: 60
nsslapd-disk-monitoring-logging-critical: off
nsslapd-ndn-cache-enabled: on
nsslapd-ndn-cache-max-size: 20971520
nsslapd-allowed-sasl-mechanisms:
nsslapd-ignore-virtual-attrs: off
nsslapd-unhashed-pw-switch: on
nsslapd-sasl-max-buffer-size: 2097152
nsslapd-search-return-original-type-switch: off
nsslapd-enable-turbo-mode: on
nsslapd-connection-buffer: 1
nsslapd-connection-nocanon: on
nsslapd-plugin-logging: off
nsslapd-listen-backlog-size: 128
nsslapd-dynamic-plugins: off
nsslapd-cn-uses-dn-syntax-in-dns: off
nsslapd-malloc-mxfast: -10
nsslapd-malloc-trim-threshold: -10
nsslapd-malloc-mmap-threshold: -10
nsslapd-ignore-time-skew: off
nsslapd-global-backend-lock: off
nsslapd-maxsimplepaged-per-conn: -1
nsslapd-enable-nunc-stans: off
passwordStorageScheme: SSHA
passwordAdminDN:
nsslapd-rootpwstoragescheme: SSHA
nsslapd-errorlog-list:
nsslapd-accesslog-list: 
/var/log/dirsrv/slapd-DEV-mydomain-NET/access.20160121-071658
nsslapd-accesslog-list: 
/var/log/dirsrv/slapd-DEV-mydomain-NET/access.20160121-022556
nsslapd-accesslog-list: 
/var/log/dirsrv/slapd-DEV-mydomain-NET/access.20160120-191523
nsslapd-accesslog-list: 
/var/log/dirsrv/slapd-DEV-mydomain-NET/access.20160120-091819
nsslapd-accesslog-list: 
/var/log/dirsrv/slapd-DEV-mydomain-NET/access.20160120-021415
nsslapd-accesslog-list: 
/var/log/dirsrv/slapd-DEV-mydomain-NET/access.20160119-165941
nsslapd-accesslog-list: 
/var/log/dirsrv/slapd-DEV-mydomain-NET/access.20160119-065036
nsslapd-accesslog-list: 
/var/log/dirsrv/slapd-DEV-mydomain-NET/access.20160119-023133
nsslapd-accesslog-list: 
/var/log/dirsrv/slapd-DEV-mydomain-NET/access.20160118-205128
nsslapd-auditlog-list:
nsslapd-ssl-check-hostname: on
nsslapd-hash-filters: off

# mapping tree, config
dn: cn=mapping tree,cn=config
cn: mapping tree
objectClass: top
objectClass: extensibleObject

# SNMP, config
dn: cn=SNMP,cn=config
cn: SNMP
nsSNMPEnabled: on
objectClass: top
objectClass: nsSNMP

# tasks, config
dn: cn=tasks,cn=config
cn: tasks
objectClass: top
objectClass: extensibleObject

# csusers, config
dn: ou=csusers,cn=config
objectClass: top
objectClass: organizationalUnit
ou: csusers

# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
cn: Sync Request Control
objectClass: top
objectClass: directoryServerFeature
oid: 1.3.6.1.4.1.4203.1.9.1.1

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
cn: VLV Request Control
objectClass: top
objectClass: directoryServerFeature
oid: 2.16.840.1.113730.3.4.9

# dc\3Ddev-mydomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Ddev-mydomain\2Cdc\3Dnet,cn=mapping tree,cn=config
cn: dc=dev-mydomain,dc=net
cn: "dc=dev-mydomain,dc=net"
nsslapd-backend: userRoot
nsslapd-referral: 
ldap://dc1-ipa-dev-van.dev-mydomain.net:389/dc%3Ddev-mydomain%2Cdc%3Dnet
nsslapd-referral: 
ldap://dc1-ipa-dev-nvan.dev-mydomain.net:389/dc%3Ddev-mydomain%2Cdc%3Dnet
nsslapd-state: backend
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree

# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
cn: o=ipaca
nsslapd-backend: ipaca
nsslapd-referral: ldap://dc1-ipa-dev-nvan.dev-mydomain.net:389/o%3Dipaca
nsslapd-referral: ldap://dc1-ipa-dev-van.dev-mydomain.net:389/o%3Dipaca
nsslapd-state: Backend
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree

# ldbm database, plugins, config
dn: cn=ldbm database,cn=plugins,cn=config
cn: ldbm database
nsslapd-plugin-depends-on-type: Syntax
nsslapd-plugin-depends-on-type: matchingRule
nsslapd-pluginDescription: high-performance LDAP backend database plugin
nsslapd-pluginEnabled: on
nsslapd-pluginId: ldbm-backend
nsslapd-pluginInitfunc: ldbm_back_init
nsslapd-pluginPath: libback-ldbm
nsslapd-pluginType: database
nsslapd-pluginVendor: 389 Project
nsslapd-pluginVersion: 1.3.4.5
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
cn: Posix IDs
dnaExcludeScope: cn=provisioning,dc=dev-mydomain,dc=net
dnaFilter: 
(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDobject))
dnaMagicRegen: -1
dnaMaxValue: 1100
dnaNextValue: 1101
dnaScope: dc=dev-mydomain,dc=net
dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=dev-mydomain,dc=net
dnaThreshold: 500
dnaType: uidNumber
dnaType: gidNumber
objectClass: top
objectClass: extensibleObject

# userRoot, ldbm database, plugins, config
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn: userRoot
objectClass: top
objectClass: extensibleObject
objectClass: nsBackendInstance
nsslapd-suffix: dc=dev-mydomain,dc=net
nsslapd-cachesize: -1
nsslapd-cachememsize: 10485760
nsslapd-readonly: off
nsslapd-require-index: off
nsslapd-directory: /var/lib/dirsrv/slapd-DEV-mydomain-NET/db/userRoot
nsslapd-dncachememsize: 10485760

# search result
search: 2
result: 0 Success

# numResponses: 13
# numEntries: 12


-----Original Message-----
From: Rich Megginson [mailto:rmegg...@redhat.com] 
Sent: January-21-16 7:29 AM
To: Nathan Peters; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with 
DuplicateEntry: This entry already exists

On 01/21/2016 12:50 AM, Nathan Peters wrote:
> I don't know if this makes a difference too, but I performed the same checks 
> on a different completely working and joined FreeIPA master, against other 
> masters, and even against itself directly.
>
> It seems that no account, no keytab, and no host can see that mapping tree 
> branch no matter who they search from or against if GSSAPI is used.
>
>
> -----Original Message-----
> From: freeipa-users-boun...@redhat.com 
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Nathan Peters
> Sent: January-20-16 11:41 PM
> To: Rich Megginson; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails 
> with DuplicateEntry: This entry already exists
>
> All checks below were performed from the host we are trying to turn 
> into a replica and they were performed against the master who logs I 
> also show
>
> The first check was to kinit admin and try the search.  Surprisingly, the 
> GSSAPI bind returns no results when we search that.  In my previous email you 
> can see that the standard bind gets a result as admin for that search.
>
> Next, I tried as the host by kinit with its keytab.  Same result, nothing 
> back.
>
> Finally I tried as my own personal admin user.  Same result, nothing back.
>
> For good measure, I tried a broad search against the base 
> "cn=mydomain,cn=net" as each user as well and I'll spare you the ten thousand 
> lines of screenshot but the results were as expected, several thousand 
> entries in that tree.
> Although the output differed slightly.  This is the total as admin or 
> my personal user # numResponses: 3372 # numEntries: 3371
>
> and this is the total as the host keytab account
>
> # numResponses: 3371
> # numEntries: 3370
>
> To be even more thorough, I did searches farther and farther up the config 
> tree using GSSAPI until I found something.  The only thing that is visible 
> through GSSAPI searches is the base of the config tree.  Even the mapping 
> tree branch doesn't seem to be visible.
>
> At the very bottom of this email is the results of the search against 
> cn=config directly as the attempted new replica and as admin.  Admin gets 
> about 50 results and the host only gets about 30 for some reason.  I get the 
> same results as admin on my personal account so I've excluded those.
>
> So if I got all that right I was able to determine that only the base of the 
> config tree is available using GSSAPI for any account, users for some reason 
> get slightly more results than hosts, and all accounts can see the 
> dc=mydomain,dc=net tree just fine using GSSAPI.
>
> So does that help shed some light on what the cause of this might be or why 
> the server is not answering as expected?
>
> Is there some way I can adjust this so everyone can see the results they do 
> using regular binds as they do using GSSAPI binds ?
>
> Is there some way I can check ACLS on stuff ?

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Access_Control-Viewing_the_ACIs_for_an_Entry.html

Note: There is a bug in the docs.  You have to also specify the suffix e.g. "-b 
cn=config", and make sure the search filter is quoted e.g. 
'(aci=*)'

If it is not aci related, I have no idea why you would get different results 
depending on if you did a simple bind vs. a gssapi bind with the same user that 
mapped to the same bind DN.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to