wenxing zheng wrote: > Thanks to Rob. > > We finally got the root cause, it's a bug in the application. Our LDAP > URL or DN is too long which triggered a bug in the JDK Properties. Java > Properties doesn't allow the value to be longer than 47, and if the > length is longer than 47, it will truncate the value and append the > "..." at the end.
Glad you figured it out. I had assumed the ellipses were you obfuscating the domain name :-) rob > > > > On Thu, Jul 6, 2017 at 1:33 AM, Rob Crittenden <rcrit...@redhat.com > <mailto:rcrit...@redhat.com>> wrote: > > wenxing zheng via FreeIPA-users wrote: > > Dear all, > > > > I met with an issue when doing the LDAP authentication on the Kylin. My > > FreeIPA works with Ranger very well, but on Kylin, when binding the DN > > with the admin, it failed to connect to the LDAP server: > > > > [05/Jul/2017:11:16:32 +0800] ipalockout_preop - [file ipa_lockout.c, > > line 756]: Failed to retrieve entry > > "uid=admin,cn=users,cn=accounts,dc=dat...": 32 > > [05/Jul/2017:11:16:32 +0800] ipalockout_preop - [file ipa_lockout.c, > > line 756]: Failed to retrieve entry > > "uid=admin,cn=users,cn=accounts,dc=dat...": 32 > > I don't know what either Kylin or Ranger are. The only advice I can > suggest is to ensure the whole DN is correct (the dc= bits). The plugin > is just trying to fetch the entry that is doing the BIND. My memory is > fuzzy on the ordering of the plugins, it's possible that the bind hasn't > been authenticated yet at this point, I'm not sure. > > You should be able to test on the command-line which might make this > easier: > > $ ldapsearch -D uid=admin,cn=users,cn=accounts,dc=example,dc=com -W -b > uid=admin,cn=users,cn=accounts,dc=example,dc=com > > rob > > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org