[Freeipa-users] Re: mod_authz_ldap authentication against ipa
Rob Crittenden
rcritten at redhat.com
Tue Oct 21 21:13:49 UTC 2008
Ivan Levchenko wrote:
> On Tue, Oct 14, 2008 at 4:34 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>> This should work. It appears that your password is wrong (or missing).
>>
>> Can you verify that you have an LDAP password attribute set on this entry?
>>
>> ldapsearch -x -W -D "cn=directory manager" -b "dc=example,dc=com" uid=ivan
>> userPassword
>>
>> You might also try changing your password to see if that helps. We have a
>> plugin that is supposed to keep the kerberos principal password and the
>> basic auth password the same.
>>
>> As Simo mentioned, you can alternatively use mod_auth_kerb for kerberos
>> auth.
>>
>> rob
>>
>
> That query doesn't return anything. I have already changed the
> password for my user twice.. so that doesn't help.. any way to
> manually make ldap and kerberos sync passwords?
>
> Thanks in advance.
If it isn't returning anything then it means that the attribute doesn't
exist which explains why LDAP authentication isn't working.
What I don't understand is how this can be. From my reading of the
password change plugin it should always set the userPassword attribute.
You might try:
% kinit admin at YOUR_REALM
% ldappasswd -S -Y GSSAPI dn_of_user
And see if that adds the userPassword attribute to the entry.
rob
More information about the Freeipa-users
mailing list