On 02/12/2014 03:04 PM, Petr Spacek wrote: > On 12.2.2014 15:01, Tamas Papp wrote: >> >> On 02/12/2014 01:34 PM, Alexander Bokovoy wrote: >>> On Wed, 12 Feb 2014, Tamas Papp wrote: >>>> >>>> On 02/12/2014 01:07 PM, Alexander Bokovoy wrote: >>>>> On Wed, 12 Feb 2014, Tamas Papp wrote: >>>>>> hi All, >>>>>> >>>>>> $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h >>>>>> localhost -w >>>>>> `cat pw` >>>>>> ldap_bind: Referral (10) >>>>>> referrals: >>>>>> ldap:///uid=USER,cn=users,cn=accounts,dc=foo >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> [12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection >>>>>> from >>>>>> ::1 to ::1 >>>>>> [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND >>>>>> dn="uid=USER,cn=users,cn=compat,dc=foo" method=128 version=3 >>>>>> [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97 >>>>>> nentries=0 etime=0 >>>>>> [12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1 >>>>>> >>>>>> >>>>>> System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20). >>>>>> Non-compat authentication works fine and authorization against >>>>>> compat is >>>>>> also fine. >>>>>> >>>>>> >>>>>> What is err=10? >>>>> slapi-nis module in RHEL 6.x (and CentOS) does not support bind >>>>> against >>>>> compat tree. We added this feature only in Fedora 20 (and RHEL 7 >>>>> beta). >>>>> >>>>> In older versions slapi-nis issues LDAP referral to the original LDAP >>>>> entry with the hope that an LDAP client would follow it and perform a >>>>> bind against the referral. >>>>> >>>>> Unfortunately, there is virtually no client software that supports >>>>> the >>>>> referral on bind operation. >>>>> >>>>> In short, you cannot do LDAP bind against compat tree in RHEL before >>>>> 7.0. >>>> >>>> I forgot to mention, the client would be Ubuntu 12.04 and it >>>> works/worked with IPA 3.3 and F20. >>> It worked with IPA 3.3 because of what I wrote above -- I implemented >>> LDAP BIND authentication in slapi-nis in IPA 3.3 instead of issuing >>> LDAP >>> referral to the original entry's DN. >>> >>>> If I understand correctly, you're referring to the client side, are >>>> you? >>> No. >>> >>>> Or it is true for the server side as well? >>> It is purely server-side issue. slapi-nis < 0.47.5 does not support >>> proper authentication against compat tree that LDAP clients understand. >> >> Actually I'd like to authenticate shell users on Ubuntu. >> >> For the records I figured out, that switching from nscd to nslcd did the >> trick. > > BTW why you don't use SSSD? It is packaged for Ubuntu for sure. NSCD > is ... obsolete. SSSD has some very nice features like off-line cache > etc.
I don't know it. After a quick look I wasn't able to set it up correctly, 'id USER' didn't connected to it's socket like with nscd/nlscd, however nsswitch.conf was configured. Maybe with the upcoming 14.04 or do you have a working howto for 12.04? Thx, tamas _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users