[Freeipa-users] authentication against compat

Alexander Bokovoy abokovoy at redhat.com
Wed Feb 12 12:34:06 UTC 2014 

On Wed, 12 Feb 2014, Tamas Papp wrote:
>
>On 02/12/2014 01:07 PM, Alexander Bokovoy wrote:
>> On Wed, 12 Feb 2014, Tamas Papp wrote:
>>> hi All,
>>>
>>> $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w
>>> `cat pw`
>>> ldap_bind: Referral (10)
>>>    referrals:
>>>        ldap:///uid=USER,cn=users,cn=accounts,dc=foo
>>>
>>>
>>>
>>>
>>> [12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection from
>>> ::1 to ::1
>>> [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND
>>> dn="uid=USER,cn=users,cn=compat,dc=foo" method=128 version=3
>>> [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97
>>> nentries=0 etime=0
>>> [12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1
>>>
>>>
>>> System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20).
>>> Non-compat authentication works fine and authorization against compat is
>>> also fine.
>>>
>>>
>>> What is err=10?
>> slapi-nis module in RHEL 6.x (and CentOS) does not support bind against
>> compat tree. We added this feature only in Fedora 20 (and RHEL 7 beta).
>>
>> In older versions slapi-nis issues LDAP referral to the original LDAP
>> entry with the hope that an LDAP client would follow it and perform a
>> bind against the referral.
>>
>> Unfortunately, there is virtually no client software that supports the
>> referral on bind operation.
>>
>> In short, you cannot do LDAP bind against compat tree in RHEL before
>> 7.0.
>
>I forgot to mention, the client would be Ubuntu 12.04 and it
>works/worked with IPA 3.3 and F20.
It worked with IPA 3.3 because of what I wrote above -- I implemented
LDAP BIND authentication in slapi-nis in IPA 3.3 instead of issuing LDAP
referral to the original entry's DN.

>If I understand correctly, you're referring to the client side, are you?
No.

>Or it is true for the server side as well?
It is purely server-side issue. slapi-nis < 0.47.5 does not support
proper authentication against compat tree that LDAP clients understand.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list