[Freeipa-users] Unable to authenticate a client user against IPA
Rob Crittenden
rcritten at redhat.com
Tue Mar 8 14:51:15 UTC 2011
Steven Jones wrote:
>
> I can do a ldapsearch -x -b "dc=ipa,dc=ac,dc=nz' |more
>
> Which returns LDAP info....that looks fine....the query looks OK....
>
> getent passwd "user" however only returns one line, not the two I should
> expect?
Why do you expect two lines? It should only return one, for that user.
>
> It also returns very fast....like its not even looking remotely.
Is the user in /etc/passwd too?
>
> I have run authconfig-tui and that looks OK as far as I can tell....
>
> I have set cli.conf and server.conf but there are no logs any where I
> can find........
>
> Ideas please?
>
> Also how to get logging going so I have something to look at!!!!
Logging depends entirely on the context you are in.
For nss data (user, group, etc) you'll need to check system logs. If you
are using sssd, the default, then you can try adding debug_level = 9 to
/etc/sssd/sssd.conf in the ipa provider (domain/example.com) and restart
sssd. Watch the logs in /var/log/sssd.
Since sssd uses LDAP you can also see the queries it makes on your IPA
server in /var/log/dirsrv/slapd-REALM/access. This log is buffered.
cli.conf and server.conf are only used by the IPA management framework
(the ipa command the webUI). The server-side log is the Apache error
log, /var/log/httpd/error_log.
So if the question is "why can't user <x> log in" or "why can't I see
user <y>" then look in the sssd error logs.
If you can't manage users using the ipa command, the Apache error log is
the place to look.
rob
More information about the Freeipa-users
mailing list