[Freeipa-users] Legacy client in compat tree - multiple entries?

[S Toulmonde via FreeIPA-users]

Hello IPA gurus,

I have a legacy client (Solaris) that I want to migrate to a IPA (RHEL IPA 
4.6.5). Currently, it's being served by an ODSEE server for ldap.

So first I want to test if I can connect with a user in IPA, then I'll try with 
an external (AD client). But I have the following issue:

User I try to login with: seb

# Legacy (Solaris) Client:
Jan 14 15:46:34 vs4b7 sshd[45644]: [ID 293258 auth.warning] libsldap: Status: 7 
 Mesg: Too many entries are returned for seb

So it seems that I have several users in the compat tree with uid=seb...

# IPA server serving Legacy client:
[root@el6982 sssd]# ldapsearch -Y GSSAPI -b 
'cn=users,cn=compat,dc=dev,dc=ipa,dc=bc' 
'(&(objectClass=posixaccount)(uid=seb))'

# seb, users, compat, dev.ipa.bc
dn: uid=seb,cn=users,cn=compat,dc=dev,dc=ipa,dc=bc
objectClass: posixAccount
objectClass: top
gecos:: U8OpYmFzdGllbiBUb3VsbW9uZGUgKGxvY2FsIElQQSk=
cn:: U8OpYmFzdGllbiBUb3VsbW9uZGUgKGxvY2FsIElQQSk=
uidNumber: 1856200001
gidNumber: 1856200001
loginShell: /bin/bash
homeDirectory: /home/seb
uid: s...@dev.ipa.bc
uid: seb

# seb, users, compat, dev.ipa.bc
dn: uid=seb,cn=users,cn=compat,dc=dev,dc=ipa,dc=bc
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
gecos:: U8OpYmFzdGllbiBUb3VsbW9uZGU=
cn:: U8OpYmFzdGllbiBUb3VsbW9uZGU=
uidNumber: 1856200001
gidNumber: 1856200001
loginShell: /bin/bash
homeDirectory: /home/seb
ipaAnchorUUID:: 
OklQQTpkZXYuaXBhLmJjOmRmMmQyNjdjLWFjN2MtMTFlOS1iYTMyLTAwNTA1NjllMjc5OQ==
uid: seb

# search result
search: 4
result: 0 Success

# numResponses: 3
# numEntries: 2

# LDAP config for legacy client:
(vs4b7:/var/adm)# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= uid=solaris10,cn=sysaccounts,cn=etc,dc=dev,dc=ipa,dc=bc
NS_LDAP_BINDPASSWD= {NS1}c537f4abc1a7c4e477a5ca0ca15c7bdc7a83d9
NS_LDAP_SERVERS= el6982.dev.ipa.bc
NS_LDAP_SEARCH_BASEDN= dc=dev,dc=ipa,dc=bc
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_SEARCH_TIME= 15
NS_LDAP_CACHETTL= 0
NS_LDAP_PROFILE= solaris10
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=compat,dc=dev,dc=ipa,dc=bc
NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=dev,dc=ipa,dc=bc
NS_LDAP_BIND_TIME= 5
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount



I wonder why do I have two entries in the compat tree? One if objectClass: 
ipaOverrideTarget and the other isn't... I restarted sssd and IPA to clear the 
compat tree, but it pops back up again.

Any idea?

Thanks!
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org