[Freeipa-users] Sudo works for full access, but not on a per command or host level.

[Macklin, Jason]

ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D "cn=directory manager" -W uid=asteinfeld \* krbPwdLockoutDuration ?
Enter LDAP Password: 
ldap_bind: Invalid credentials (49)

I know this user password because I reset it for the purpose of troubleshooting this issue with that account. I also get the same response when I use the admin account of my own account.

-----Original Message-----
From: Rich Megginson [mailto:rmeggins at redhat.com] 
Sent: Wednesday, October 17, 2012 1:15 PM
To: Macklin, Jason {DASB~Branford}
Cc: simo at redhat.com; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level.

On 10/17/2012 11:13 AM, Macklin, Jason wrote:
> None of my users have an LDAP password being requested by running that command (except the admin user).
>
> Does each user account require an ldap account to go along with their login account?  I just get the following over and over no matter which account I switch in the command...
>
> [jmacklin at dbduwdu062 Desktop]$ ldapsearch -xLLL -D "cn=directory manager" -W uid=admin \* krbPwdLockoutDuration ?
> Enter LDAP Password:
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> [jmacklin at dbduwdu062 Desktop]$ ldapsearch -xLLL -D "cn=directory manager" -W uid=asteinfeld \* krbPwdLockoutDuration ?
> Enter LDAP Password:
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> [jmacklin at dbduwdu062 Desktop]$ ldapsearch -xLLL -D "cn=directory manager" -W uid=jmacklin \* krbPwdLockoutDuration ?
> Enter LDAP Password:
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
You have to specify which server to talk to using the -H ldap://fqdn.of.host option.