[Freeipa-users] Oracle Linux 5.5 - Legacy Question

Tue Dec 1 10:45:02 UTC 2015

Looks like I needed to try a couple of options for the /etc/ldap.conf file.  Eventually, the original line of 'pam_password md5’ seemed to be causing the error message.  I commented it out and I’ll assume by doing so, that its using ‘clear text’ for the LDAP call.  I’m using SSL/TLS so I’ll try a few other options to the ‘pam_password’.  If this is the only way to get it to work, then I’ll take what I can here …

What options for legacy clients does the members of this group use or recommend?

I also want to thank everyone here for all of the help getting my legacy clients functioning to date !!

Jeffrey Stormshak, RHCSA | Sr. Linux Engineer
Platform Systems | IT Operations Infrastructure
CCC Information Services, Inc.
Phone: (312) 229-2552

From: Jeffrey Stormshak <jstormshak at cccis.com<mailto:jstormshak at cccis.com>>
Date: Monday, November 30, 2015 at 12:34 PM
To: Jeffrey Stormshak <jstormshak at cccis.com<mailto:jstormshak at cccis.com>>, Alexander Bokovoy <abokovoy at redhat.com<mailto:abokovoy at redhat.com>>
Cc: "freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>" <freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>>
Subject: RE: [Freeipa-users] Oracle Linux 5.5 - Legacy Question

Alex/Group ---
I’ve implemented the ipa-advise script and authentication worked as expected on the legacy 5.5 client.  Although, I continue to get closer, another bump in the road here.  Anyone experienced this error and could provide some areas to review to correct it?  Please advise – Thanks for the continual help here !!

$ passwd
Changing password for user pmoss.
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
LDAP password information update failed: Constraint violation
Pre-Encoded passwords are not valid

passwd: Permission denied

From: freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jeffrey Stormshak
Sent: Tuesday, November 24, 2015 4:40 PM
To: Alexander Bokovoy
Cc: freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question

Alex -
Thank you for the details!!

For right now, I’m using the IPA Server as a standalone Linux domain controller/server without any AD integration.  This allows testing to prove that this could work with a large number of 5.5 clients in the enterprise to date.

On the question being proposed …
You haven't answered earlier when people asked whether you are using
cn=compat tree because you need to get information about Active
Directory users or not.

ANSWER:
Yes.  I’m trying to achieve full integration with AD but I’m only at the point where I started testing this in a standalone Linux mode.  I was trying to see if these legacy 5.5 clients were even possible to configure and to work here as specified.

I’ll review the IPA tools for better understanding here.

Jeffrey Stormshak, RHCSA | Sr. Linux Engineer
Platform Systems | IT Operations Infrastructure
CCC Information Services, Inc.
Phone: (312) 229-2552

From: Alexander Bokovoy <abokovoy at redhat.com<mailto:abokovoy at redhat.com>>
Date: Tuesday, November 24, 2015 at 7:57 AM
To: Jeffrey Stormshak <jstormshak at cccis.com<mailto:jstormshak at cccis.com>>
Cc: Jakub Hrozek <jhrozek at redhat.com<mailto:jhrozek at redhat.com>>, Rob Crittenden <rcritten at redhat.com<mailto:rcritten at redhat.com>>, "freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>" <freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>>
Subject: Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question

On Tue, 24 Nov 2015, Jeffrey Stormshak wrote:
I went to review the ‘ip_provider’ and that looks like a ‘sssd.conf’
setting.  The sssd RPM isn’t located on the 5.5 clients; nor is it in
the YUM Channels for 5.5 base and 5.5 patch.  So is the recommendation
here to find any 5.X version of sssd RPM and use that for this
configuration?  Sorry, being a newbie on this product realistically
isn’t helping here I’m sure …

The ipa-advise, is that part of the ipa-client RPM?  That too, doesn’t
exist on the 5.5 distribution as well.  Even the version required to
fix the openssl only worked with the 5.7 base version.  Am I complete
doomed for 5.5?  Cards are stacked for sure.  Nonetheless …
ipa-advise is a tool on IPA server that provides recipes how to
configure different clients for a typical scenarios involving trust to
AD.

Read the manual for the tool to get more information.

For legacy clients where there is no recent enough SSSD to support trust
to AD natively, ipa-advise recommends using schema compatibility plugin
to expose both IPA and AD users under same LDAP tree. This is what you
see in cn=users,cn=compat,dc=example,dc=com. If you see cn=compat in the
LDAP base DN, you know you are looking into the compatibility tree.

Compatibility tree is handled by a special plugin which combines data
from the primary IPA tree (cn=accounts,dc=example,dc=com) and from SSSD
on IPA server. It also exposes ou=SUDOers subtree to allow SUDO
application to work with sudo rules stored in IPA LDAP (they are not in
the same format as SUDO itself expects, thus _compatibility_ subtree).

I feel so close though…  Auth and Sudo works on 5.5 but something as
simple as users changing passwords seems so simple to provide?
Finally, password changes are not supported in cn=compat subtree. This
is simply not implemented by schema compatibility plugin.

You haven't answered earlier when people asked whether you are using
cn=compat tree because you need to get information about Active
Directory users or not. If you don't need integration with Active
Directory, change LDAP base DN in your configuration to
cn=accounts,dc=example,dc=com, to point your clients to the primary IPA
subtree where all users and groups are available. That subtree is the
main one and we do support password changes for DNs in it.

--
/ Alexander Bokovoy

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151201/19df8aa2/attachment.htm>