Re: [Freeipa-users] SSS problems with eDirectory
On Thu, Jul 22, 2010 at 11:19:44AM -0400, Scott Duckworth wrote: On Thu, Jul 22, 2010 at 11:07 AM, Sumit Bose sb...@redhat.com wrote: On Thu, Jul 22, 2010 at 10:19:37AM +0200, Sumit Bose wrote: On Wed, Jul 21, 2010 at 03:22:29PM -0400, Scott Duckworth wrote: ... something bad happened isn't very useful. And since SSS refuses to try and authenticate users without an encrypted connection, I can't easily use wireshark and friends to debug at the protocol level. While I could probably patch the source to print the actual LDAP error with ldap_err2string(), or maybe gdb the process and set a breakpoint when things go wrong to hopefully get some more useful information, this is beyond what I'd normally consider doing when deploying new software. Any suggestions? I'm currently installing eDirectory and I will try to reproduce the behaviour you have found. I have run some basic authentication test with eDirectory 8.8-SP5 and everything worked fine. I have to admit that I have used the current master of sssd which includes a lot of changes to the LDAP code. Would you mind to test our current beta release from http://kojipkgs.fedoraproject.org/packages/sssd/1.2.91/21.fc14/ . It is for rawhide but should work fine on F13, too. Sure, I'll give it a shot and report back what I find. I also didn't use LDAP aliases. Can you check if setting DEREF in /etc/openldap/ldap.conf helps? If not, can you give a short description how aliases are used in your case so that I can set up a similar environment? Setting DEREF to always in /etc/openldap/ldap.conf works. Aliasing is only nice, so authentication is working for you now? needed for one DN in our tree: everyone's default group is aliased to another DN in another branch of the tree. I wish there were some way to enable aliasing on a per-map basis (e.g. only groups or only users) so that you'd only take the performance hit where necessary, but I'm not aware of any NSS LDAP client that does this. The reason might be that the OpenLDAP libraries do not let you specify the deref option in the exported ldap_search routines. It is only an option for the whole connection. bye, Sumit Thanks. bye, Sumit Moving on... We will need to dereference LDAP aliases but I have not yet been able to find a setting to enable this. I also have not found the equivalent of the I have added a RFE to sssd trac (https://fedorahosted.org/sssd/ticket/568). As a sort term fix you can add the appropriate DEREF option to /etc/openldap/ldap.conf. pam_password_prohibit_message setting in /etc/ldap.conf; while not strictly required, it is nice to refer users to the proper way to change passwords in our environment. Currently there is only a configurable message if password resets by root fail. I have added https://fedorahosted.org/sssd/ticket/569 to track this. bye, Sumit Any help would be appreciated. Thanks! Scott Duckworth, Systems Programmer II Clemson University School of Computing ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SSS problems with eDirectory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/22/2010 11:47 AM, Scott Duckworth wrote: yum localinstall libcollection-0.5.0-21.fc14.* libini_config-0.6.0-21.fc14.* sssd-1.2.91-21.fc14.* sssd-client-1.2.91-21.fc14.* requires python 2.7. Adding python-2.7-3.fc14.* and python-libs-2.7-3.fc14.* results in a slew of dependency resolution errors. If I get the chance in the few days, I'll try it under rawhide. Sorry, that was the wrong package. Please try: http://koji.fedoraproject.org/koji/buildinfo?buildID=182852 The one Sumit sent you mistakenly was from an in-progress rebuild of python for Fedora 14. This one uses Python 2.6 and should install cleanly on Fedora 13. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkxIdB8ACgkQeiVVYja6o6MpMQCfch5jTZlOHvuWaBNePVFVLK7s Fg4AoItYQ6rNj8lwxwLb0pSgZfYdzhtL =jdnq -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SSS problems with eDirectory
[snip] Uhmmm this may be a side effect of your directory not having memberof I think we need to add special code to handle servers that use rfc2307bis schema but that do not use memberof. Are we sure that this is the case? Is there any chance we can get a schema file that shows what is the schema used on the server? May be it is one of the early drafts of the rfc2307bis that is implemented in the server? I think the ldapsearch results listing any one user and a group he is a member in your server of will be very helpful. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SSS problems with eDirectory
On Thu, 22 Jul 2010 17:59:03 -0400 Dmitri Pal d...@redhat.com wrote: [snip] Uhmmm this may be a side effect of your directory not having memberof I think we need to add special code to handle servers that use rfc2307bis schema but that do not use memberof. Are we sure that this is the case? Is there any chance we can get a schema file that shows what is the schema used on the server? May be it is one of the early drafts of the rfc2307bis that is implemented in the server? I think the ldapsearch results listing any one user and a group he is a member in your server of will be very helpful. memberof is not required by rfc2307bis. Actually it is not even mentioned by rfc2307bis, so it is our fault if we depend on it. rfc2307bis actually mentions only uniquemember. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Support of SUDO in IPA
Hello, Once again after some delay we are taking a look at implementing centrally managed SUDOERS in IPA. First effort was based on the policy engine approach and since the whole policy part got deferred it got postponed too. However it became apparent that there is a need to support central management SUDO sooner rather than later. So we are taking the second look at it. Please review the following page to see our plans: http://www.freeipa.org/page/SUDO_integration_plans We are looking for the feedback regarding this effort. Help is welcome! Also it is very important to do it right. Please find the first cut at the design of the server side here: http://www.freeipa.org/page/SUDO_Schema_Design Please help us find the right answers to the questions asked at the bottom of the page. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users