[Freeipa-users] FreeIPA user can't login to linux.

Rob Crittenden rcritten at redhat.com
Fri Nov 20 14:02:35 UTC 2015 

zhiyong xue wrote:
> The problem still exist after update from 4.1 to  4.2.3.

Because the problem is not in IPA, it is in how you are manually adding
entries.

Since you are now running 4.2 I'd suggest you look into using staged
users, http://www.freeipa.org/page/V4/User_Life-Cycle_Management

> Rob, how to check the missed manage entry?

A managed group needs the attribute mepManagedBy with a value of the dn
that is managing it and the objectclass mepManagedEntry.

rob

> 
> 2015-11-20 0:11 GMT+08:00 Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>>:
> 
>     zhiyong xue wrote:
>     > Rob, where can I get more error information beside the log?
>     > [16/Nov/2015:02:52:59 +0000] managed-entries-plugin - mep_del_post_op:
>     > failed to delete managed entry
>     > (member=syncopex5,cn=groups,cn=accounts,dc=example,dc=com) - error (32)
> 
>     I can still only assume what you're doing: manually adding the entries
>     directly by LDAP. To do this you need to follow IPA conventions, or use
>     the new user lifecycle framework added in 4.2.
> 
>     I'm guessing it can't delete the managed entry because either it doesn't
>     exist or it is missing an objectclass/attribute marking it as managed.
> 
>     rob
> 
>     >
>     > 2015-11-16 13:43 GMT+08:00 zhiyong xue <xuezhiy at gmail.com <mailto:xuezhiy at gmail.com>
>     > <mailto:xuezhiy at gmail.com <mailto:xuezhiy at gmail.com>>>:
>     >
>     >     I am using IPA 4.1 in CenOS7.  And I can login to system after "id
>     >     syncopex5", maybe it's cache problem.
>     >
>     >     2015-11-16 11:24 GMT+08:00 Rob Crittenden <rcritten at redhat.com <mailto:rcritten at redhat.com>
>     >     <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>:
>     >
>     >         zhiyong xue wrote:
>     >         > We integrated the Apache Syncope server with FreeIPA
>     server. So user can
>     >         > self register ID from Apache Syncope then synchronize to
>     FreeIPA. The
>     >         > problems are:
>     >         > *1) User created from Apache Syncope can't login to
>     linux. The
>     >         user
>     >         > created from FreeIPA web gui works well.*
>     >
>     >         For login issues see
>     >         https://fedorahosted.org/sssd/wiki/Troubleshooting
>     >         This is unlikely to fix things but it will help with later
>     >         debugging.
>     >
>     >         This likely revolves around how you are creating these
>     accounts.
>     >         We'll
>     >         need information on what you're doing. The more details
>     the better.
>     >
>     >         > *2) The user also can't be deleted from web UI and CLI.
>     It said
>     >         > "syncopex5: user not found".*
>     >
>     >         Again, you probably aren't creating the users correctly.
>     >
>     >         I can only assume that you are creating the users directly via
>     >         an LDAP
>     >         add. This is working around the IPA framework which does
>     >         additional work.
>     >
>     >         Knowing what version of IPA this is would help too.
>     >
>     >         You'll probably also want to read this:
>     >         http://www.freeipa.org/page/V4/User_Life-Cycle_Management
>     . This
>     >         is in
>     >         IPA 4.2.
>     >
>     >         rob
>     >         rob
>     >
>     >
>     >
> 
>

More information about the Freeipa-users mailing list