On Sun, Mar 12, 2017 at 4:45 PM, Alexander Bokovoy <aboko...@redhat.com> wrote:
> On su, 12 maalis 2017, Robert Johnson wrote: > >> Sorry I should have given some more information. We are trying to allow >> the >> user's from the trusted windows domain to login to the Solaris client and >> the only way I have found to have this work is by using the >> cn=compat,$SUFFIX for the passwd as this will force the ldap client to to >> use the slapi plugin on the ipa server. This required using ldapclient >> manual on the solaris system instead of the default profile (which uses >> cn=accounts for passwd). >> >> ex: >> ldapclient list for default profile shows: (supports IPA users just fine) >> NS_LDAP_SEARCH_BASEDN= $SUFFIX >> NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,$SUFFIX >> NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,$SUFFIX >> >> ldaplist list for my manual profile shows: (supports windows users just >> fine) >> NS_LDAP_SEARCH_BASEDN= $SUFFIX >> NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=compat,$SUFFIX >> NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,$SUFFIX >> >> What we were trying to do is also allow IPA created user's to login to the >> Solaris client in addition to the windows user's. This is where I started >> to run into problems with the pam_ldap module as it was detecting the >> duplicate entries from the "bug" above. >> > Thanks for the details. > > So, why don't you set NS_LDAP_SEARCH_BASEDN = cn=compat,$SUFFIX? > > > -- > / Alexander Bokovoy > I tried that and I still see the same issue. I believe the problem is that the duplicate entries are located in the cn=users,cn=compat tree. The ldap client on the Solaris system isn't seeing any of the user's in the cn=accounts tree. I think this is all related to the bug above because when I preform the ldapsearch on the compat tree, I am seeing double entries for my ipa' users. Thank you for the suggestions.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project