[Freeipa-users] Question about ipa user accounts and the compat container
Alexander Bokovoy
abokovoy at redhat.com
Mon Mar 13 06:12:21 UTC 2017
On su, 12 maalis 2017, Robert Johnson wrote:
>On Sun, Mar 12, 2017 at 4:45 PM, Alexander Bokovoy <abokovoy at redhat.com>
>wrote:
>
>> On su, 12 maalis 2017, Robert Johnson wrote:
>>
>>> Sorry I should have given some more information. We are trying to allow
>>> the
>>> user's from the trusted windows domain to login to the Solaris client and
>>> the only way I have found to have this work is by using the
>>> cn=compat,$SUFFIX for the passwd as this will force the ldap client to to
>>> use the slapi plugin on the ipa server. This required using ldapclient
>>> manual on the solaris system instead of the default profile (which uses
>>> cn=accounts for passwd).
>>>
>>> ex:
>>> ldapclient list for default profile shows: (supports IPA users just fine)
>>> NS_LDAP_SEARCH_BASEDN= $SUFFIX
>>> NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,$SUFFIX
>>> NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,$SUFFIX
>>>
>>> ldaplist list for my manual profile shows: (supports windows users just
>>> fine)
>>> NS_LDAP_SEARCH_BASEDN= $SUFFIX
>>> NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=compat,$SUFFIX
>>> NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,$SUFFIX
>>>
>>> What we were trying to do is also allow IPA created user's to login to the
>>> Solaris client in addition to the windows user's. This is where I started
>>> to run into problems with the pam_ldap module as it was detecting the
>>> duplicate entries from the "bug" above.
>>>
>> Thanks for the details.
>>
>> So, why don't you set NS_LDAP_SEARCH_BASEDN = cn=compat,$SUFFIX?
>>
>
>I tried that and I still see the same issue. I believe the problem is that
>the duplicate entries are located in the cn=users,cn=compat tree. The ldap
>client on the Solaris system isn't seeing any of the user's in the
>cn=accounts tree. I think this is all related to the bug above because
>when I preform the ldapsearch on the compat tree, I am seeing double
>entries for my ipa' users.
I'm lost here: if you set NS_LDAP_SEARCH_BASEDN and other bases to
cn=compat,$SUFFIX only, your Solaris client sees duplicate entries in
cn=compat,$SUFFIX?
Sorry, it would really help if you be more detailed in your
explanations. If you are setting up Solaris LDAP client to always look
into cn=compat,$SUFFIX, then how cn=accounts,$SUFFIX is being searched?
Can you show 389-ds access log entries that demonstrate these searches?
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list