[Freeipa-users] Re: mod_authz_ldap authentication against ipa
Rob Crittenden
rcritten at redhat.com
Wed Oct 22 13:27:31 UTC 2008
Ivan Levchenko wrote:
> On Wed, Oct 22, 2008 at 12:13 AM, Rob Crittenden <rcritten at redhat.com> wrote:
>> If it isn't returning anything then it means that the attribute doesn't
>> exist which explains why LDAP authentication isn't working.
> err.. sorry for misinforming you.. i had a typo in the command, thats
> why it didn't return anything.
> With the correct command, it returns some sort of hash.
Well, that hash was your old LDAP password.
>> What I don't understand is how this can be. From my reading of the password
>> change plugin it should always set the userPassword attribute.
>>
>> You might try:
>>
>> % kinit admin at YOUR_REALM
>> % ldappasswd -S -Y GSSAPI dn_of_user
> Now it works! I reset my password with this, and the ldap search now
> authenticates and so does apache. so it looks like kerberos and ldap
> are out of sync... any more troubleshooting i can do to help identify
> the issue? (i promise to doublecheck before pressing enter!)
I'm not sure how this would happen, nor why ldappasswd would fix it. I
think we'll need to try to reproduce it. I'm not even sure what I'd
suggest for debugging other than really complex things.
Let me try to clarify the things you found though:
You found that your user couldn't authenticate via LDAP but could use kinit.
You used the kpasswd tool to reset your kerberos credentials.
You could kinit with the new password but LDAP authentication still failed.
When you use ldappasswd you could authenticate using LDAP and kinit.
Did you use a different password each time you changed or were you
resetting to the same password?
rob
More information about the Freeipa-users
mailing list