Hello Rob

2016-05-18 16:21 GMT+02:00 Rob Crittenden <rcrit...@redhat.com>:
> Alexander Skwar wrote:
>> Hello Rob
>> 2016-05-12 0:06 GMT+02:00 Rob Crittenden <rcrit...@redhat.com>:
>>> Alexander Skwar wrote:

>> Important parts here:
>> - javax.naming.AuthenticationNotSupportedException: [LDAP: error code
>> 48 - Inappropriate Authentication]
>> I suppose, the "tech" user doesn't have the sufficient rights.
> Is your user "tech?" It doesn't appear to be though this logging leaves much
> to be desired.

Well, according to the howto, I created a user with "DN:
uid=system,cn=sysaccounts,cn=etc,dc=hydrus,dc=intern". That's also
what I configured as the „Technical user DN“ in my appliance (→

The password is correct. I double checked. On the IPA server, I can do:

local@bbva-auth01-prod ~ % ldapsearch -x -D
uid=system,cn=sysaccounts,cn=etc,dc=hydrus,dc=intern -W | head
# extended LDIF
# LDAPv3
# base <dc=hydrus,dc=intern> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL

# computers, compat, hydrus.intern
dn: cn=computers,cn=compat,dc=hydrus,dc=intern

> LDAP err 48 means a bind was tried using a bad mechanism, like trying to do
> a simple bind when stronger auth is required, for example. Or you try to
> bind with a user that has no password.


> What is confusing to me is that the DN doesn't include uid=system, so it may
> be a configuration error on your part.

I bet that this will eventually be the reason :)

Hmm… Yes, that's indeed confusing. Playing a bit with the appliance,
it was indeed a configuration error on my part. The Bind DN was set

After fixing this, everything is working :)

Thanks a lot, that was indeed a helpful hint!

>> What would be good ACIs to grant read access to
>> cn=users,cn=accounts,dc=hydrus,dc=intern to this uid=system user?
> This is not the problem.

And that was also quite helpful. I was looking there, and thus in the
wrong direction.

Thanks again,

=>        Google+ => http://plus.skwar.me         <==
=> Chat (Jabber/Google Talk) => a.sk...@gmail.com <==

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to