[Freeipa-users] authentication against compat
Alexander Bokovoy
abokovoy at redhat.com
Wed Feb 12 12:07:45 UTC 2014
On Wed, 12 Feb 2014, Tamas Papp wrote:
>hi All,
>
>$ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w
>`cat pw`
>ldap_bind: Referral (10)
> referrals:
> ldap:///uid=USER,cn=users,cn=accounts,dc=foo
>
>
>
>
>[12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection from
>::1 to ::1
>[12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND
>dn="uid=USER,cn=users,cn=compat,dc=foo" method=128 version=3
>[12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97
>nentries=0 etime=0
>[12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1
>
>
>System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20).
>Non-compat authentication works fine and authorization against compat is
>also fine.
>
>
>What is err=10?
slapi-nis module in RHEL 6.x (and CentOS) does not support bind against
compat tree. We added this feature only in Fedora 20 (and RHEL 7 beta).
In older versions slapi-nis issues LDAP referral to the original LDAP
entry with the hope that an LDAP client would follow it and perform a
bind against the referral.
Unfortunately, there is virtually no client software that supports the
referral on bind operation.
In short, you cannot do LDAP bind against compat tree in RHEL before
7.0.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list