On su, 12 maalis 2017, Robert Johnson wrote:
On Sun, Mar 12, 2017 at 4:45 PM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

On su, 12 maalis 2017, Robert Johnson wrote:

Sorry I should have given some more information. We are trying to allow
the
user's from the trusted windows domain to login to the Solaris client and
the only way I have found to have this work is by using the
cn=compat,$SUFFIX for the passwd as this will force the ldap client to to
use the slapi plugin on the ipa server.  This required using ldapclient
manual on the solaris system instead of the default profile (which uses
cn=accounts for passwd).

ex:
ldapclient list for default profile shows: (supports IPA users just fine)
NS_LDAP_SEARCH_BASEDN= $SUFFIX
NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,$SUFFIX
NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,$SUFFIX

ldaplist list for my manual profile shows: (supports windows users just
fine)
NS_LDAP_SEARCH_BASEDN= $SUFFIX
NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=compat,$SUFFIX
NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,$SUFFIX

What we were trying to do is also allow IPA created user's to login to the
Solaris client in addition to the windows user's.  This is where I started
to run into problems with the pam_ldap module as it was detecting the
duplicate entries from the "bug" above.

Thanks for the details.

So, why don't you set NS_LDAP_SEARCH_BASEDN = cn=compat,$SUFFIX?


I tried that and I still see the same issue. I believe the problem is that
the duplicate entries are located in the cn=users,cn=compat tree.  The ldap
client on the Solaris system isn't seeing any of the user's in the
cn=accounts tree.  I think this is all related to the bug above because
when I preform the ldapsearch on the compat tree, I am seeing double
entries for my ipa' users.
I'm lost here: if you set NS_LDAP_SEARCH_BASEDN and other bases to
cn=compat,$SUFFIX only, your Solaris client sees duplicate entries in
cn=compat,$SUFFIX?

Sorry, it would really help if you be more detailed in your
explanations. If you are setting up Solaris LDAP client to always look
into cn=compat,$SUFFIX, then how cn=accounts,$SUFFIX is being searched?

Can you show 389-ds access log entries that demonstrate these searches?

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to