[Freeipa-users] SSS problems with eDirectory

Sumit Bose sbose at redhat.com
Thu Jul 22 15:07:41 UTC 2010 

On Thu, Jul 22, 2010 at 10:19:37AM +0200, Sumit Bose wrote:
> On Wed, Jul 21, 2010 at 03:22:29PM -0400, Scott Duckworth wrote:
> 
> ...
> 
> > 
> > "something bad happened" isn't very useful.  And since SSS refuses to try
> > and authenticate users without an encrypted connection, I can't easily use
> > wireshark and friends to debug at the protocol level.  While I could
> > probably patch the source to print the actual LDAP error with
> > ldap_err2string(), or maybe gdb the process and set a breakpoint when things
> > go wrong to hopefully get some more useful information, this is beyond what
> > I'd normally consider doing when deploying new software.  Any suggestions?
> 
> I'm currently installing eDirectory and I will try to reproduce the
> behaviour you have found.

I have run some basic authentication test with eDirectory 8.8-SP5 and
everything worked fine. I have to admit that I have used the current
master of sssd which includes a lot of changes to the LDAP code. Would
you mind to test our current beta release from
http://kojipkgs.fedoraproject.org/packages/sssd/1.2.91/21.fc14/ . It is
for rawhide but should work fine on F13, too.

I also didn't use LDAP aliases. Can you check if setting DEREF in
/etc/openldap/ldap.conf helps? If not, can you give a short description
how aliases are used in your case so that I can set up a similar
environment?

Thanks.

bye,
Sumit

> 
> > 
> > Moving on...
> > 
> > We will need to dereference LDAP aliases but I have not yet been able to
> > find a setting to enable this.  I also have not found the equivalent of the
> 
> I have added a RFE to sssd trac
> (https://fedorahosted.org/sssd/ticket/568). As a sort term fix you can
> add the appropriate DEREF option to /etc/openldap/ldap.conf.
> 
> > pam_password_prohibit_message setting in /etc/ldap.conf; while not strictly
> > required, it is nice to refer users to the proper way to change passwords in
> > our environment.
> 
> Currently there is only a configurable message if password resets by
> root fail. I have added https://fedorahosted.org/sssd/ticket/569 to
> track this.
> 
> bye,
> Sumit
> 
> > 
> > Any help would be appreciated.  Thanks!
> > 
> > Scott Duckworth, Systems Programmer II
> > Clemson University School of Computing
> 
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list