[Freeipa-users] Sudo works for full access, but not on a per command or host level.

Rich Megginson rmeggins at redhat.com
Wed Oct 17 18:05:37 UTC 2012 

On 10/17/2012 11:51 AM, Macklin, Jason wrote:
> I assume that this iteration was with the correct credentials as it responds with something other then "Invalid Credentials"
>
> ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D "cn=directory manager" -W uid=asteinfeld \* krbPwdLockoutDuration ?
> Enter LDAP Password:
> No such object (32)
>
> Working account returns same thing...
>
> ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D "cn=directory manager" -W uid=jmacklin \* krbPwdLockoutDuration ?
> Enter LDAP Password:
> No such object (32)

Sorry, I though ipa would have configured your /etc/openldap/ldap.conf 
with your base dn.  Try this:

ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D "cn=directory 
manager" -W -b "dc=dbr,dc=roche,dc=com" uid=jmacklin \*
>
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: Wednesday, October 17, 2012 1:37 PM
> To: Macklin, Jason {DASB~Branford}
> Cc: rmeggins at redhat.com; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level.
>
> Macklin, Jason wrote:
>> ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D "cn=directory manager" -W uid=asteinfeld \* krbPwdLockoutDuration ?
>> Enter LDAP Password:
>> ldap_bind: Invalid credentials (49)
>>
>> I know this user password because I reset it for the purpose of troubleshooting this issue with that account. I also get the same response when I use the admin account of my own account.
> You use the password of the user you are binding as, in this case the directory manager.
>
> rob
>
>> -----Original Message-----
>> From: Rich Megginson [mailto:rmeggins at redhat.com]
>> Sent: Wednesday, October 17, 2012 1:15 PM
>> To: Macklin, Jason {DASB~Branford}
>> Cc: simo at redhat.com; freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level.
>>
>> On 10/17/2012 11:13 AM, Macklin, Jason wrote:
>>> None of my users have an LDAP password being requested by running that command (except the admin user).
>>>
>>> Does each user account require an ldap account to go along with their login account?  I just get the following over and over no matter which account I switch in the command...
>>>
>>> [jmacklin at dbduwdu062 Desktop]$ ldapsearch -xLLL -D "cn=directory manager" -W uid=admin \* krbPwdLockoutDuration ?
>>> Enter LDAP Password:
>>> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>>> [jmacklin at dbduwdu062 Desktop]$ ldapsearch -xLLL -D "cn=directory manager" -W uid=asteinfeld \* krbPwdLockoutDuration ?
>>> Enter LDAP Password:
>>> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>>> [jmacklin at dbduwdu062 Desktop]$ ldapsearch -xLLL -D "cn=directory manager" -W uid=jmacklin \* krbPwdLockoutDuration ?
>>> Enter LDAP Password:
>>> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>> You have to specify which server to talk to using the -H ldap://fqdn.of.host option.
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>

More information about the Freeipa-users mailing list