[Freeipa-users] authentication against compat

Petr Spacek pspacek at redhat.com
Wed Feb 12 14:04:24 UTC 2014 

On 12.2.2014 15:01, Tamas Papp wrote:
>
> On 02/12/2014 01:34 PM, Alexander Bokovoy wrote:
>> On Wed, 12 Feb 2014, Tamas Papp wrote:
>>>
>>> On 02/12/2014 01:07 PM, Alexander Bokovoy wrote:
>>>> On Wed, 12 Feb 2014, Tamas Papp wrote:
>>>>> hi All,
>>>>>
>>>>> $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w
>>>>> `cat pw`
>>>>> ldap_bind: Referral (10)
>>>>>     referrals:
>>>>>         ldap:///uid=USER,cn=users,cn=accounts,dc=foo
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> [12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection from
>>>>> ::1 to ::1
>>>>> [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND
>>>>> dn="uid=USER,cn=users,cn=compat,dc=foo" method=128 version=3
>>>>> [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97
>>>>> nentries=0 etime=0
>>>>> [12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1
>>>>>
>>>>>
>>>>> System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20).
>>>>> Non-compat authentication works fine and authorization against
>>>>> compat is
>>>>> also fine.
>>>>>
>>>>>
>>>>> What is err=10?
>>>> slapi-nis module in RHEL 6.x (and CentOS) does not support bind against
>>>> compat tree. We added this feature only in Fedora 20 (and RHEL 7 beta).
>>>>
>>>> In older versions slapi-nis issues LDAP referral to the original LDAP
>>>> entry with the hope that an LDAP client would follow it and perform a
>>>> bind against the referral.
>>>>
>>>> Unfortunately, there is virtually no client software that supports the
>>>> referral on bind operation.
>>>>
>>>> In short, you cannot do LDAP bind against compat tree in RHEL before
>>>> 7.0.
>>>
>>> I forgot to mention, the client would be Ubuntu 12.04 and it
>>> works/worked with IPA 3.3 and F20.
>> It worked with IPA 3.3 because of what I wrote above -- I implemented
>> LDAP BIND authentication in slapi-nis in IPA 3.3 instead of issuing LDAP
>> referral to the original entry's DN.
>>
>>> If I understand correctly, you're referring to the client side, are you?
>> No.
>>
>>> Or it is true for the server side as well?
>> It is purely server-side issue. slapi-nis < 0.47.5 does not support
>> proper authentication against compat tree that LDAP clients understand.
>
> Actually I'd like to authenticate shell users on Ubuntu.
>
> For the records I figured out, that switching from nscd to nslcd did the
> trick.

BTW why you don't use SSSD? It is packaged for Ubuntu for sure. NSCD is ... 
obsolete. SSSD has some very nice features like off-line cache etc.

-- 
Petr^2 Spacek

More information about the Freeipa-users mailing list