[Freeipa-users] Re: Failed to retrieve entry 32

2017-07-06 Thread Rob Crittenden via FreeIPA-users 
wenxing zheng wrote:
> Thanks to Rob.
> 
> We finally got the root cause, it's a bug in the application. Our LDAP
> URL or DN is too long which triggered a bug in the JDK Properties. Java
> Properties doesn't allow the value to be longer than 47, and if the
> length is longer than 47, it will truncate the value and append the
> "..." at the end.

Glad you figured it out. I had assumed the ellipses were you obfuscating
the domain name :-)

rob

> 
> 
> 
> On Thu, Jul 6, 2017 at 1:33 AM, Rob Crittenden  > wrote:
> 
> wenxing zheng via FreeIPA-users wrote:
> > Dear all,
> >
> > I met with an issue when doing the LDAP authentication on the Kylin. My
> > FreeIPA works with Ranger very well, but on Kylin, when binding the DN
> > with the admin, it failed to connect to the LDAP server:
> >
> > [05/Jul/2017:11:16:32 +0800] ipalockout_preop - [file ipa_lockout.c,
> > line 756]: Failed to retrieve entry
> > "uid=admin,cn=users,cn=accounts,dc=dat...": 32
> > [05/Jul/2017:11:16:32 +0800] ipalockout_preop - [file ipa_lockout.c,
> > line 756]: Failed to retrieve entry
> > "uid=admin,cn=users,cn=accounts,dc=dat...": 32
> 
> I don't know what either Kylin or Ranger are. The only advice I can
> suggest is to ensure the whole DN is correct (the dc= bits). The plugin
> is just trying to fetch the entry that is doing the BIND. My memory is
> fuzzy on the ordering of the plugins, it's possible that the bind hasn't
> been authenticated yet at this point, I'm not sure.
> 
> You should be able to test on the command-line which might make this
> easier:
> 
> $ ldapsearch -D uid=admin,cn=users,cn=accounts,dc=example,dc=com -W -b
> uid=admin,cn=users,cn=accounts,dc=example,dc=com
> 
> rob
> 
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Failed to retrieve entry 32

2017-07-05 Thread wenxing zheng via FreeIPA-users 
Thanks to Rob.

We finally got the root cause, it's a bug in the application. Our LDAP URL
or DN is too long which triggered a bug in the JDK Properties. Java
Properties doesn't allow the value to be longer than 47, and if the length
is longer than 47, it will truncate the value and append the "..." at the
end.



On Thu, Jul 6, 2017 at 1:33 AM, Rob Crittenden  wrote:

> wenxing zheng via FreeIPA-users wrote:
> > Dear all,
> >
> > I met with an issue when doing the LDAP authentication on the Kylin. My
> > FreeIPA works with Ranger very well, but on Kylin, when binding the DN
> > with the admin, it failed to connect to the LDAP server:
> >
> > [05/Jul/2017:11:16:32 +0800] ipalockout_preop - [file ipa_lockout.c,
> > line 756]: Failed to retrieve entry
> > "uid=admin,cn=users,cn=accounts,dc=dat...": 32
> > [05/Jul/2017:11:16:32 +0800] ipalockout_preop - [file ipa_lockout.c,
> > line 756]: Failed to retrieve entry
> > "uid=admin,cn=users,cn=accounts,dc=dat...": 32
>
> I don't know what either Kylin or Ranger are. The only advice I can
> suggest is to ensure the whole DN is correct (the dc= bits). The plugin
> is just trying to fetch the entry that is doing the BIND. My memory is
> fuzzy on the ordering of the plugins, it's possible that the bind hasn't
> been authenticated yet at this point, I'm not sure.
>
> You should be able to test on the command-line which might make this
> easier:
>
> $ ldapsearch -D uid=admin,cn=users,cn=accounts,dc=example,dc=com -W -b
> uid=admin,cn=users,cn=accounts,dc=example,dc=com
>
> rob
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Failed to retrieve entry 32

2017-07-05 Thread Rob Crittenden via FreeIPA-users 
wenxing zheng via FreeIPA-users wrote:
> Dear all,
> 
> I met with an issue when doing the LDAP authentication on the Kylin. My
> FreeIPA works with Ranger very well, but on Kylin, when binding the DN
> with the admin, it failed to connect to the LDAP server:
> 
> [05/Jul/2017:11:16:32 +0800] ipalockout_preop - [file ipa_lockout.c,
> line 756]: Failed to retrieve entry
> "uid=admin,cn=users,cn=accounts,dc=dat...": 32
> [05/Jul/2017:11:16:32 +0800] ipalockout_preop - [file ipa_lockout.c,
> line 756]: Failed to retrieve entry
> "uid=admin,cn=users,cn=accounts,dc=dat...": 32

I don't know what either Kylin or Ranger are. The only advice I can
suggest is to ensure the whole DN is correct (the dc= bits). The plugin
is just trying to fetch the entry that is doing the BIND. My memory is
fuzzy on the ordering of the plugins, it's possible that the bind hasn't
been authenticated yet at this point, I'm not sure.

You should be able to test on the command-line which might make this easier:

$ ldapsearch -D uid=admin,cn=users,cn=accounts,dc=example,dc=com -W -b
uid=admin,cn=users,cn=accounts,dc=example,dc=com

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org