Re: [Freeipa-users] SSS problems with eDirectory

2010-07-26 Thread Simo Sorce
On Mon, 26 Jul 2010 09:33:22 -0400 Stephen Gallagher wrote: > I was discussing this with Dmitri this morning. I propose that we > should probably do the following: > > After retrieving the user entry, verify whether the entry contains at > least one memberOf attribute. If it does, continue proce

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-26 Thread Stephen Gallagher
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/23/2010 05:45 PM, Scott Duckworth wrote: > On Thu, Jul 22, 2010 at 5:24 PM, Sumit Bose > >> I can prepare a special build for you which prints the >> LDAP_OPT_DIAGNOSTIC_MESSAGE LDAP option and let you use wireshark. But >> I'm afr

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-26 Thread Stephen Gallagher
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/23/2010 06:15 PM, Simo Sorce wrote: > On Fri, 23 Jul 2010 17:17:11 -0400 > Scott Duckworth wrote: > >> I've learned that this attribute does exist in our tree, but it's not >> being populated when we add users to groups since our proxy user doe

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-23 Thread Simo Sorce
On Fri, 23 Jul 2010 17:17:11 -0400 Scott Duckworth wrote: > I've learned that this attribute does exist in our tree, but it's not > being populated when we add users to groups since our proxy user does > not have rights to write groupMembership to users. I'm trying to > find out if we can get ou

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-23 Thread Scott Duckworth
On Thu, Jul 22, 2010 at 5:24 PM, Sumit Bose wrote: > On Thu, Jul 22, 2010 at 04:19:53PM -0400, Scott Duckworth wrote: > > On Thu, Jul 22, 2010 at 12:38 PM, Stephen Gallagher >wrote: > > > > > -BEGIN PGP SIGNED MESSAGE- > > > Hash: SHA1 > > > > > > On 07/22/2010 11:47 AM, Scott Duckworth

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-23 Thread Scott Duckworth
On Fri, Jul 23, 2010 at 6:16 AM, Sumit Bose wrote: > On Thu, Jul 22, 2010 at 04:49:50PM -0400, Simo Sorce wrote: > > On Thu, 22 Jul 2010 16:22:45 -0400 > > Scott Duckworth wrote: > > > > > On Thu, Jul 22, 2010 at 3:39 PM, Simo Sorce wrote: > > > > > > > On Thu, 22 Jul 2010 15:30:23 -0400 > > >

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-23 Thread Scott Duckworth
On Thu, Jul 22, 2010 at 8:37 PM, Simo Sorce wrote: > On Thu, 22 Jul 2010 15:30:23 -0400 > Scott Duckworth wrote: > > > There are almost 120,000 users in our directory, and we currently > > have ~200 Linux systems that might use SSSD, soon scaling to >500 > > systems. I imagine that even 500 sys

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-23 Thread Stephen Gallagher
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/23/2010 05:43 AM, Sumit Bose wrote: > The most flexible way of access control is to use sssd together with a > FreeIPA v2 server (the Alpha4 release was published recently). There are > also plan to add sudo support into FreeIPA (see > http://www

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-23 Thread Sumit Bose
On Thu, Jul 22, 2010 at 04:49:50PM -0400, Simo Sorce wrote: > On Thu, 22 Jul 2010 16:22:45 -0400 > Scott Duckworth wrote: > > > On Thu, Jul 22, 2010 at 3:39 PM, Simo Sorce wrote: > > > > > On Thu, 22 Jul 2010 15:30:23 -0400 > > > Scott Duckworth wrote: > > > > > > > On Thu, Jul 22, 2010 at 11:

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-23 Thread Sumit Bose
On Fri, Jul 23, 2010 at 10:49:41AM +0200, Christian Horn wrote: > On Thu, Jul 22, 2010 at 03:30:23PM -0400, Scott Duckworth wrote: > > > > There are almost 120,000 users in our directory, and we currently have ~200 > > Linux systems that might use SSSD, soon scaling to >500 systems. I imagine > >

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-23 Thread Christian Horn
On Thu, Jul 22, 2010 at 03:30:23PM -0400, Scott Duckworth wrote: > > There are almost 120,000 users in our directory, and we currently have ~200 > Linux systems that might use SSSD, soon scaling to >500 systems. I imagine > that even 500 systems is only a medium-scale installation compared to som

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-22 Thread Simo Sorce
On Thu, 22 Jul 2010 15:30:23 -0400 Scott Duckworth wrote: > There are almost 120,000 users in our directory, and we currently > have ~200 Linux systems that might use SSSD, soon scaling to >500 > systems. I imagine that even 500 systems is only a medium-scale > installation compared to some site

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-22 Thread Dmitri Pal
Simo Sorce wrote: > On Thu, 22 Jul 2010 17:59:03 -0400 > Dmitri Pal wrote: > > >> [snip] >> >>> Uhmmm this may be a side effect of your directory not having >>> memberof I think we need to add special code to handle servers that >>> use rfc2307bis schema but that do not use memberof. >>> >

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-22 Thread Simo Sorce
On Thu, 22 Jul 2010 17:59:03 -0400 Dmitri Pal wrote: > [snip] > > Uhmmm this may be a side effect of your directory not having > > memberof I think we need to add special code to handle servers that > > use rfc2307bis schema but that do not use memberof. > > > > > > Are we sure that this is t

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-22 Thread Dmitri Pal
[snip] > Uhmmm this may be a side effect of your directory not having memberof > I think we need to add special code to handle servers that use > rfc2307bis schema but that do not use memberof. > > Are we sure that this is the case? Is there any chance we can get a schema file that shows what i

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-22 Thread Sumit Bose
On Thu, Jul 22, 2010 at 04:19:53PM -0400, Scott Duckworth wrote: > On Thu, Jul 22, 2010 at 12:38 PM, Stephen Gallagher > wrote: > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > On 07/22/2010 11:47 AM, Scott Duckworth wrote: > > > > > > "yum localinstall libcollection-0.5.0-21.fc14.

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-22 Thread Simo Sorce
On Thu, 22 Jul 2010 16:22:45 -0400 Scott Duckworth wrote: > On Thu, Jul 22, 2010 at 3:39 PM, Simo Sorce wrote: > > > On Thu, 22 Jul 2010 15:30:23 -0400 > > Scott Duckworth wrote: > > > > > On Thu, Jul 22, 2010 at 11:59 AM, Simo Sorce > > > wrote: > > > > > > > On Thu, 22 Jul 2010 11:10:25 -04

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-22 Thread Scott Duckworth
On Thu, Jul 22, 2010 at 3:39 PM, Simo Sorce wrote: > On Thu, 22 Jul 2010 15:30:23 -0400 > Scott Duckworth wrote: > > > On Thu, Jul 22, 2010 at 11:59 AM, Simo Sorce > > wrote: > > > > > On Thu, 22 Jul 2010 11:10:25 -0400 > > > Scott Duckworth wrote: > > > > > > > I removed all files from /var/l

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-22 Thread Scott Duckworth
On Thu, Jul 22, 2010 at 12:38 PM, Stephen Gallagher wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 07/22/2010 11:47 AM, Scott Duckworth wrote: > > > > "yum localinstall libcollection-0.5.0-21.fc14.* > > libini_config-0.6.0-21.fc14.* sssd-1.2.91-21.fc14.* > > sssd-client-1.2.91-21.

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-22 Thread Simo Sorce
On Thu, 22 Jul 2010 15:30:23 -0400 Scott Duckworth wrote: > On Thu, Jul 22, 2010 at 11:59 AM, Simo Sorce > wrote: > > > On Thu, 22 Jul 2010 11:10:25 -0400 > > Scott Duckworth wrote: > > > > > I removed all files from /var/lib/sss/db/ and restarted sssd. > > > Same behavior. nscd is disabled,

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-22 Thread Scott Duckworth
On Thu, Jul 22, 2010 at 11:59 AM, Simo Sorce wrote: > On Thu, 22 Jul 2010 11:10:25 -0400 > Scott Duckworth wrote: > > > I removed all files from /var/lib/sss/db/ and restarted sssd. Same > > behavior. nscd is disabled, so I don't think it's caching at any > > level. > > > > Here is what I ran:

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-22 Thread Stephen Gallagher
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/22/2010 11:47 AM, Scott Duckworth wrote: > > "yum localinstall libcollection-0.5.0-21.fc14.* > libini_config-0.6.0-21.fc14.* sssd-1.2.91-21.fc14.* > sssd-client-1.2.91-21.fc14.*" requires python 2.7. Adding > python-2.7-3.fc14.* and python-libs

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-22 Thread Sumit Bose
On Thu, Jul 22, 2010 at 11:19:44AM -0400, Scott Duckworth wrote: > On Thu, Jul 22, 2010 at 11:07 AM, Sumit Bose wrote: > > > On Thu, Jul 22, 2010 at 10:19:37AM +0200, Sumit Bose wrote: > > > On Wed, Jul 21, 2010 at 03:22:29PM -0400, Scott Duckworth wrote: > > > > > > ... > > > > > > > > > > > "so

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-22 Thread Scott Duckworth
On Thu, Jul 22, 2010 at 11:07 AM, Sumit Bose wrote: > On Thu, Jul 22, 2010 at 10:19:37AM +0200, Sumit Bose wrote: > > On Wed, Jul 21, 2010 at 03:22:29PM -0400, Scott Duckworth wrote: > > > > ... > > > > > > > > "something bad happened" isn't very useful. And since SSS refuses to > try > > > and

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-22 Thread Scott Duckworth
On Thu, Jul 22, 2010 at 11:19 AM, Scott Duckworth wrote: > On Thu, Jul 22, 2010 at 11:07 AM, Sumit Bose wrote: > >> On Thu, Jul 22, 2010 at 10:19:37AM +0200, Sumit Bose wrote: >> > On Wed, Jul 21, 2010 at 03:22:29PM -0400, Scott Duckworth wrote: >> > >> > ... >> > >> > > >> > > "something bad hap

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-22 Thread Simo Sorce
On Thu, 22 Jul 2010 11:10:25 -0400 Scott Duckworth wrote: > I removed all files from /var/lib/sss/db/ and restarted sssd. Same > behavior. nscd is disabled, so I don't think it's caching at any > level. > > Here is what I ran: > > [r...@duck2 ~]# getent passwd sduckwo > sduckwo:*:45265:1:

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-22 Thread Scott Duckworth
On Wed, Jul 21, 2010 at 6:18 PM, Dmitri Pal wrote: > Scott Duckworth wrote: > > On Wed, Jul 21, 2010 at 5:58 PM, Dmitri Pal > > wrote: > > > > Scott Duckworth wrote: > > > I'm trying to setup a vanilla installation of Fedora 13 to > > > authenticate against an

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-22 Thread Sumit Bose
On Thu, Jul 22, 2010 at 10:19:37AM +0200, Sumit Bose wrote: > On Wed, Jul 21, 2010 at 03:22:29PM -0400, Scott Duckworth wrote: > > ... > > > > > "something bad happened" isn't very useful. And since SSS refuses to try > > and authenticate users without an encrypted connection, I can't easily us

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-22 Thread Sumit Bose
On Wed, Jul 21, 2010 at 03:22:29PM -0400, Scott Duckworth wrote: ... > > "something bad happened" isn't very useful. And since SSS refuses to try > and authenticate users without an encrypted connection, I can't easily use > wireshark and friends to debug at the protocol level. While I could >

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-21 Thread Dmitri Pal
Scott Duckworth wrote: > I'm trying to setup a vanilla installation of Fedora 13 to > authenticate against an eDirectory server. We have this working on > RHEL5 using nss_ldap and pam_ldap, but doing this same configuration > on Fedora 13 did not work. So I'm now attempting the configuration > us

[Freeipa-users] SSS problems with eDirectory

2010-07-21 Thread Scott Duckworth
I'm trying to setup a vanilla installation of Fedora 13 to authenticate against an eDirectory server. We have this working on RHEL5 using nss_ldap and pam_ldap, but doing this same configuration on Fedora 13 did not work. So I'm now attempting the configuration using SSS. I used the graphical too