<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> </head> <body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;"> <div> <div>Looks like I needed to try a couple of options for the /etc/ldap.conf file. Eventually, the original line of 'pam_password md5’ seemed to be causing the error message. I commented it out and I’ll assume by doing so, that its using ‘clear text’ for the LDAP call. I’m using SSL/TLS so I’ll try a few other options to the ‘pam_password’. If this is the only way to get it to work, then I’ll take what I can here …</div> <div><br> </div> <div>What options for legacy clients does the members of this group use or recommend? </div> <div><br> </div> <div>I also want to thank everyone here for all of the help getting my legacy clients functioning to date !!</div> <div><b style="font-size: 11pt;"><span style="font-size: 10pt; font-family: 'Palatino Linotype', serif; color: rgb(31, 73, 125);"><br> </span></b></div> <div><b style="font-size: 11pt;"><span style="font-size: 10pt; font-family: 'Palatino Linotype', serif; color: rgb(31, 73, 125);">Jeffrey Stormshak, RHCSA | Sr. Linux Engineer</span></b></div> <div> <div style="background-color: rgb(255, 255, 255); font-family: Tahoma; font-size: 13px;"> <p class="MsoNormal" style="font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-family: 'Palatino Linotype', serif; font-size: 10pt;">Platform Systems | IT Operations Infrastructure</span></p> <p class="MsoNormal" style="font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-family: 'Palatino Linotype', serif; font-size: 10pt;">CCC Information Services, Inc.</span></p> <p class="MsoNormal" style="font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-family: 'Palatino Linotype', serif; font-size: 10pt;">Phone: (312) 229-2552</span></p> </div> </div> </div> <div><br> </div> <span id="OLK_SRC_BODY_SECTION"> <div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt"> <span style="font-weight:bold">From: </span>Jeffrey Stormshak <<a href="mailto:jstormshak@cccis.com">jstormshak@cccis.com</a>><br> <span style="font-weight:bold">Date: </span>Monday, November 30, 2015 at 12:34 PM<br> <span style="font-weight:bold">To: </span>Jeffrey Stormshak <<a href="mailto:jstormshak@cccis.com">jstormshak@cccis.com</a>>, Alexander Bokovoy <<a href="mailto:abokovoy@redhat.com">abokovoy@redhat.com</a>><br> <span style="font-weight:bold">Cc: </span>"<a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>" <<a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>><br> <span style="font-weight:bold">Subject: </span>RE: [Freeipa-users] Oracle Linux 5.5 - Legacy Question<br> </div> <div><br> </div> <div xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"> <meta name="Generator" content="Microsoft Word 14 (filtered medium)"> <style></style> <div lang="EN-US" link="blue" vlink="purple"> <div class="WordSection1"> <p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);">Alex/Group ---<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);">I’ve implemented the ipa-advise script and authentication worked as expected on the legacy 5.5 client. Although, I continue to get closer, another bump in the road here. Anyone experienced this error and could provide some areas to review to correct it? Please advise – Thanks for the continual help here !! <o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);"><o:p> </o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);">$ passwd<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);">Changing password for user pmoss.<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);">Enter login(LDAP) password: <o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);">New UNIX password: <o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);">Retype new UNIX password: <o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);">LDAP password information update failed: Constraint violation<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);">Pre-Encoded passwords are not valid<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);"><o:p> </o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);">passwd: Permission denied<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);"><o:p> </o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);"><o:p> </o:p></span></p> <div> <div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in"> <p class="MsoNormal"><b><span style="font-size: 10pt; font-family: Tahoma, sans-serif;">From:</span></b><span style="font-size: 10pt; font-family: Tahoma, sans-serif;"> <a href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a> [<a href="mailto:freeipa-users-bounces@redhat.com">mailto:freeipa-users-bounces@redhat.com</a>] <b>On Behalf Of </b>Jeffrey Stormshak<br> <b>Sent:</b> Tuesday, November 24, 2015 4:40 PM<br> <b>To:</b> Alexander Bokovoy<br> <b>Cc:</b> <a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br> <b>Subject:</b> Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question<o:p></o:p></span></p> </div> </div> <p class="MsoNormal"><o:p> </o:p></p> <div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">Alex -<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">Thank you for the details!! <o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;"><o:p> </o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">For right now, I’m using the IPA Server as a standalone Linux domain controller/server without any AD integration. This allows testing to prove that this could work with a large number of 5.5 clients in the enterprise to date. <o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;"><o:p> </o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">On the question being proposed …<o:p></o:p></span></p> </div> <div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">You haven't answered earlier when people asked whether you are using<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">cn=compat tree because you need to get information about Active<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">Directory users or not.<o:p></o:p></span></p> </div> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;"><o:p> </o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">ANSWER:<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">Yes. I’m trying to achieve full integration with AD but I’m only at the point where I started testing this in a standalone Linux mode. I was trying to see if these legacy 5.5 clients were even possible to configure and to work here as specified. <o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;"><o:p> </o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">I’ll review the IPA tools for better understanding here. <o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;"><o:p> </o:p></span></p> </div> <div> <div> <p class="MsoNormal" style="background:white"><b><span style="font-size: 10pt; font-family: 'Palatino Linotype', serif; color: rgb(31, 73, 125);">Jeffrey Stormshak, RHCSA | Sr. Linux Engineer</span></b><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: black;"><o:p></o:p></span></p> <p class="MsoNormal" style="background:white"><span style="font-size: 10pt; font-family: 'Palatino Linotype', serif; color: black;">Platform Systems | IT Operations Infrastructure</span><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: black;"><o:p></o:p></span></p> <p class="MsoNormal" style="background:white"><span style="font-size: 10pt; font-family: 'Palatino Linotype', serif; color: black;">CCC Information Services, Inc.</span><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: black;"><o:p></o:p></span></p> <p class="MsoNormal" style="background:white"><span style="font-size: 10pt; font-family: 'Palatino Linotype', serif; color: black;">Phone: (312) 229-2552</span><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: black;"><o:p></o:p></span></p> </div> </div> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;"><o:p> </o:p></span></p> </div> <div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in"> <p class="MsoNormal"><b><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: black;">From: </span></b><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: black;">Alexander Bokovoy <<a href="mailto:abokovoy@redhat.com">abokovoy@redhat.com</a>><br> <b>Date: </b>Tuesday, November 24, 2015 at 7:57 AM<br> <b>To: </b>Jeffrey Stormshak <<a href="mailto:jstormshak@cccis.com">jstormshak@cccis.com</a>><br> <b>Cc: </b>Jakub Hrozek <<a href="mailto:jhrozek@redhat.com">jhrozek@redhat.com</a>>, Rob Crittenden <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>, "<a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>" <<a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>><br> <b>Subject: </b>Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;"><o:p> </o:p></span></p> </div> <div> <div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">On Tue, 24 Nov 2015, Jeffrey Stormshak wrote:<o:p></o:p></span></p> </div> <blockquote style="border:none;border-left:solid #B5C4DF 4.5pt;padding:0in 0in 0in 4.0pt;margin-left:3.75pt;margin-right:0in" id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE"> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">I went to review the ‘ip_provider’ and that looks like a ‘sssd.conf’<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">setting. The sssd RPM isn’t located on the 5.5 clients; nor is it in<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">the YUM Channels for 5.5 base and 5.5 patch. So is the recommendation<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">here to find any 5.X version of sssd RPM and use that for this<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">configuration? Sorry, being a newbie on this product realistically<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">isn’t helping here I’m sure …<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;"><o:p> </o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">The ipa-advise, is that part of the ipa-client RPM? That too, doesn’t<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">exist on the 5.5 distribution as well. Even the version required to<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">fix the openssl only worked with the 5.7 base version. Am I complete<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">doomed for 5.5? Cards are stacked for sure. Nonetheless …<o:p></o:p></span></p> </div> </blockquote> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">ipa-advise is a tool on IPA server that provides recipes how to<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">configure different clients for a typical scenarios involving trust to<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">AD.<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;"><o:p> </o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">Read the manual for the tool to get more information.<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;"><o:p> </o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">For legacy clients where there is no recent enough SSSD to support trust<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">to AD natively, ipa-advise recommends using schema compatibility plugin<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">to expose both IPA and AD users under same LDAP tree. This is what you<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">see in cn=users,cn=compat,dc=example,dc=com. If you see cn=compat in the<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">LDAP base DN, you know you are looking into the compatibility tree.<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;"><o:p> </o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">Compatibility tree is handled by a special plugin which combines data<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">from the primary IPA tree (cn=accounts,dc=example,dc=com) and from SSSD<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">on IPA server. It also exposes ou=SUDOers subtree to allow SUDO<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">application to work with sudo rules stored in IPA LDAP (they are not in<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">the same format as SUDO itself expects, thus _compatibility_ subtree).<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;"><o:p> </o:p></span></p> </div> <blockquote style="border:none;border-left:solid #B5C4DF 4.5pt;padding:0in 0in 0in 4.0pt;margin-left:3.75pt;margin-right:0in" id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE"> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">I feel so close though… Auth and Sudo works on 5.5 but something as<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">simple as users changing passwords seems so simple to provide?<o:p></o:p></span></p> </div> </blockquote> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">Finally, password changes are not supported in cn=compat subtree. This<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">is simply not implemented by schema compatibility plugin.<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;"><o:p> </o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">You haven't answered earlier when people asked whether you are using<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">cn=compat tree because you need to get information about Active<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">Directory users or not. If you don't need integration with Active<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">Directory, change LDAP base DN in your configuration to<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">cn=accounts,dc=example,dc=com, to point your clients to the primary IPA<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">subtree where all users and groups are available. That subtree is the<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">main one and we do support password changes for DNs in it.<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;"><o:p> </o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">-- <o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">/ Alexander Bokovoy<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;"><o:p> </o:p></span></p> </div> </div> </div> </div> </div> </div> </span> </body> </html>