Re: [Freeipa-users] authentication against compat

Wed, 12 Feb 2014 06:07:59 -0800 

On 12.2.2014 15:01, Tamas Papp wrote:


On 02/12/2014 01:34 PM, Alexander Bokovoy wrote:

On Wed, 12 Feb 2014, Tamas Papp wrote:


On 02/12/2014 01:07 PM, Alexander Bokovoy wrote:

On Wed, 12 Feb 2014, Tamas Papp wrote:

hi All,

$ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w
`cat pw`
ldap_bind: Referral (10)
    referrals:
        ldap:///uid=USER,cn=users,cn=accounts,dc=foo




[12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection from
::1 to ::1
[12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND
dn="uid=USER,cn=users,cn=compat,dc=foo" method=128 version=3
[12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97
nentries=0 etime=0
[12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1


System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20).
Non-compat authentication works fine and authorization against
compat is
also fine.


What is err=10?

slapi-nis module in RHEL 6.x (and CentOS) does not support bind against
compat tree. We added this feature only in Fedora 20 (and RHEL 7 beta).

In older versions slapi-nis issues LDAP referral to the original LDAP
entry with the hope that an LDAP client would follow it and perform a
bind against the referral.

Unfortunately, there is virtually no client software that supports the
referral on bind operation.

In short, you cannot do LDAP bind against compat tree in RHEL before
7.0.


I forgot to mention, the client would be Ubuntu 12.04 and it
works/worked with IPA 3.3 and F20.

It worked with IPA 3.3 because of what I wrote above -- I implemented
LDAP BIND authentication in slapi-nis in IPA 3.3 instead of issuing LDAP
referral to the original entry's DN.


If I understand correctly, you're referring to the client side, are you?

No.


Or it is true for the server side as well?

It is purely server-side issue. slapi-nis < 0.47.5 does not support
proper authentication against compat tree that LDAP clients understand.


Actually I'd like to authenticate shell users on Ubuntu.

For the records I figured out, that switching from nscd to nslcd did the
trick.



BTW why you don't use SSSD? It is packaged for Ubuntu for sure. NSCD is ... 
obsolete. SSSD has some very nice features like off-line cache etc.


--
Petr^2 Spacek

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users






















					Reply via email to