On su, 12 maalis 2017, Robert Johnson wrote:
Sorry I should have given some more information. We are trying to allow the
user's from the trusted windows domain to login to the Solaris client and
the only way I have found to have this work is by using the
cn=compat,$SUFFIX for the passwd as this will force the ldap client to to
use the slapi plugin on the ipa server.  This required using ldapclient
manual on the solaris system instead of the default profile (which uses
cn=accounts for passwd).

ldapclient list for default profile shows: (supports IPA users just fine)
NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,$SUFFIX
NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,$SUFFIX

ldaplist list for my manual profile shows: (supports windows users just
NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=compat,$SUFFIX
NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,$SUFFIX

What we were trying to do is also allow IPA created user's to login to the
Solaris client in addition to the windows user's.  This is where I started
to run into problems with the pam_ldap module as it was detecting the
duplicate entries from the "bug" above.
Thanks for the details.

So, why don't you set NS_LDAP_SEARCH_BASEDN = cn=compat,$SUFFIX?

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to