[Freeipa-users] FreeIPA user can't login to linux.
zhiyong xue
xuezhiy at gmail.com
Tue Nov 17 02:15:12 UTC 2015
I query a new user syncopex8, it's same created from Apache Syncope server.
*The output of command "ldapsearch -x -h localhost -b dc=exampe,dc=com
uid=syncopex8":*
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: uid=syncopex8
# requesting: ALL
#
# syncopex8, users, compat, example.com
dn: uid=syncopex8,cn=users,cn=compat,dc=example,dc=com
cn: x8syncope
objectClass: posixAccount
objectClass: top
gidNumber: 657600044
gecos: x8syncope
uidNumber: 657600044
loginShell: /bin/sh
homeDirectory: /home/syncopex8
uid: syncopex8
# syncopex8, users, accounts, example.com
dn: uid=syncopex8,cn=users,cn=accounts,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixAccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
cn: x8syncope
displayName: x8syncope
uid: syncopex8
gecos: x8syncope
uidNumber: 657600044
gidNumber: 657600044
loginShell: /bin/sh
homeDirectory: /home/syncopex8
sn: syncope
givenName: x8
initials: xs
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
*The output of command "ldapsearch -x -h localhost -b dc=exampe,dc=com
cn=syncopex8":*
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: cn=syncopex8
# requesting: ALL
#
# syncopex8, groups, compat, example.com
dn: cn=syncopex8,cn=groups,cn=compat,dc=example,dc=com
gidNumber: 657600044
objectClass: posixGroup
objectClass: top
cn: syncopex8
# syncopex8, groups, accounts, example.com
dn: cn=syncopex8,cn=groups,cn=accounts,dc=example,dc=com
objectClass: posixgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: top
cn: syncopex8
gidNumber: 657600044
description: User private group for syncopex8
mepManagedBy: uid=syncopex8,cn=users,cn=accounts,dc=example,dc=com
ipaUniqueID: 1c07557c-8cce-11e5-8f72-fa163e630e3d
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
*The output of command "ipa user-showsyncopex8 --raw --all"*
dn: uid=syncopex8,cn=users,cn=accounts,dc=example,dc=com
uid: syncopex8
givenname: x8
sn: syncope
cn: x8syncope
initials: xs
homedirectory: /home/syncopex8
gecos: x8syncope
loginshell: /bin/sh
mail: x8 at example.com
uidnumber: 657600044
gidnumber: 657600044
nsaccountlock: FALSE
has_password: TRUE
has_keytab: TRUE
displayName: x8syncope
ipaUniqueID: 1bffe8b4-8cce-11e5-8f72-fa163e630e3d
krbExtraData: AALHiEpWcm9vdC9hZG1pbkBCTVguSUJNLkNPTQA=
krbLastPwdChange: 20151117015415Z
krbPasswordExpiration: 20151117015415Z
krbPrincipalName: syncopex8 at EXAMPLE.COM
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com
mepManagedEntry: member=syncopex8,cn=groups,cn=accounts,dc=example,dc=com
mepManagedEntry: cn=syncopex8,cn=groups,cn=accounts,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixAccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
*The output of command "ipa group-show syncopex8 --raw --all":*
dn: cn=syncopex8,cn=groups,cn=accounts,dc=example,dc=com
cn: syncopex8
description: User private group for syncopex8
gidnumber: 657600044
ipaUniqueID: 1c07557c-8cce-11e5-8f72-fa163e630e3d
mepManagedBy: uid=syncopex8,cn=users,cn=accounts,dc=example,dc=com
objectClass: posixgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: top
2015-11-16 17:49 GMT+08:00 Tomas Babej <tbabej at redhat.com>:
> Can you provide a result of a LDAP search run on that entry? As Rob
> points out, you're probably creating the user in a manner that bypasses
> the framework.
>
> Tomas
>
> On 11/16/2015 06:43 AM, zhiyong xue wrote:
> > I am using IPA 4.1 in CenOS7. And I can login to system after "id
> > syncopex5", maybe it's cache problem.
> >
> > 2015-11-16 11:24 GMT+08:00 Rob Crittenden <rcritten at redhat.com
> > <mailto:rcritten at redhat.com>>:
> >
> > zhiyong xue wrote:
> > > We integrated the Apache Syncope server with FreeIPA server. So
> user can
> > > self register ID from Apache Syncope then synchronize to FreeIPA.
> The
> > > problems are:
> > > *1) User created from Apache Syncope can't login to linux. The user
> > > created from FreeIPA web gui works well.*
> >
> > For login issues see
> https://fedorahosted.org/sssd/wiki/Troubleshooting
> > This is unlikely to fix things but it will help with later debugging.
> >
> > This likely revolves around how you are creating these accounts.
> We'll
> > need information on what you're doing. The more details the better.
> >
> > > *2) The user also can't be deleted from web UI and CLI. It said
> > > "syncopex5: user not found".*
> >
> > Again, you probably aren't creating the users correctly.
> >
> > I can only assume that you are creating the users directly via an
> LDAP
> > add. This is working around the IPA framework which does additional
> > work.
> >
> > Knowing what version of IPA this is would help too.
> >
> > You'll probably also want to read this:
> > http://www.freeipa.org/page/V4/User_Life-Cycle_Management . This is
> in
> > IPA 4.2.
> >
> > rob
> > rob
> >
> >
> >
> >
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151117/ee26a61e/attachment.htm>
More information about the Freeipa-users
mailing list