On Sun, Mar 12, 2017 at 4:45 PM, Alexander Bokovoy <aboko...@redhat.com>

> On su, 12 maalis 2017, Robert Johnson wrote:
>> Sorry I should have given some more information. We are trying to allow
>> the
>> user's from the trusted windows domain to login to the Solaris client and
>> the only way I have found to have this work is by using the
>> cn=compat,$SUFFIX for the passwd as this will force the ldap client to to
>> use the slapi plugin on the ipa server.  This required using ldapclient
>> manual on the solaris system instead of the default profile (which uses
>> cn=accounts for passwd).
>> ex:
>> ldapclient list for default profile shows: (supports IPA users just fine)
>> NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,$SUFFIX
>> NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,$SUFFIX
>> ldaplist list for my manual profile shows: (supports windows users just
>> fine)
>> NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=compat,$SUFFIX
>> NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,$SUFFIX
>> What we were trying to do is also allow IPA created user's to login to the
>> Solaris client in addition to the windows user's.  This is where I started
>> to run into problems with the pam_ldap module as it was detecting the
>> duplicate entries from the "bug" above.
> Thanks for the details.
> So, why don't you set NS_LDAP_SEARCH_BASEDN = cn=compat,$SUFFIX?
> --
> / Alexander Bokovoy

I tried that and I still see the same issue. I believe the problem is that
the duplicate entries are located in the cn=users,cn=compat tree.  The ldap
client on the Solaris system isn't seeing any of the user's in the
cn=accounts tree.  I think this is all related to the bug above because
when I preform the ldapsearch on the compat tree, I am seeing double
entries for my ipa' users.

Thank you for the suggestions.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to