[Freeipa-users] SSS problems with eDirectory
Sumit Bose
sbose at redhat.com
Thu Jul 22 16:05:36 UTC 2010
On Thu, Jul 22, 2010 at 11:19:44AM -0400, Scott Duckworth wrote:
> On Thu, Jul 22, 2010 at 11:07 AM, Sumit Bose <sbose at redhat.com> wrote:
>
> > On Thu, Jul 22, 2010 at 10:19:37AM +0200, Sumit Bose wrote:
> > > On Wed, Jul 21, 2010 at 03:22:29PM -0400, Scott Duckworth wrote:
> > >
> > > ...
> > >
> > > >
> > > > "something bad happened" isn't very useful. And since SSS refuses to
> > try
> > > > and authenticate users without an encrypted connection, I can't easily
> > use
> > > > wireshark and friends to debug at the protocol level. While I could
> > > > probably patch the source to print the actual LDAP error with
> > > > ldap_err2string(), or maybe gdb the process and set a breakpoint when
> > things
> > > > go wrong to hopefully get some more useful information, this is beyond
> > what
> > > > I'd normally consider doing when deploying new software. Any
> > suggestions?
> > >
> > > I'm currently installing eDirectory and I will try to reproduce the
> > > behaviour you have found.
> >
> > I have run some basic authentication test with eDirectory 8.8-SP5 and
> > everything worked fine. I have to admit that I have used the current
> > master of sssd which includes a lot of changes to the LDAP code. Would
> > you mind to test our current beta release from
> > http://kojipkgs.fedoraproject.org/packages/sssd/1.2.91/21.fc14/ . It is
> > for rawhide but should work fine on F13, too.
> >
>
> Sure, I'll give it a shot and report back what I find.
>
>
> > I also didn't use LDAP aliases. Can you check if setting DEREF in
> > /etc/openldap/ldap.conf helps? If not, can you give a short description
> > how aliases are used in your case so that I can set up a similar
> > environment?
> >
>
> Setting DEREF to always in /etc/openldap/ldap.conf works. Aliasing is only
nice, so authentication is working for you now?
> needed for one DN in our tree: everyone's default group is aliased to
> another DN in another branch of the tree. I wish there were some way to
> enable aliasing on a per-map basis (e.g. only groups or only users) so that
> you'd only take the performance hit where necessary, but I'm not aware of
> any NSS LDAP client that does this.
>
The reason might be that the OpenLDAP libraries do not let you specify
the deref option in the exported ldap_search routines. It is only an
option for the whole connection.
bye,
Sumit
>
> > Thanks.
> >
> > bye,
> > Sumit
> >
> > >
> > > >
> > > > Moving on...
> > > >
> > > > We will need to dereference LDAP aliases but I have not yet been able
> > to
> > > > find a setting to enable this. I also have not found the equivalent of
> > the
> > >
> > > I have added a RFE to sssd trac
> > > (https://fedorahosted.org/sssd/ticket/568). As a sort term fix you can
> > > add the appropriate DEREF option to /etc/openldap/ldap.conf.
> > >
> > > > pam_password_prohibit_message setting in /etc/ldap.conf; while not
> > strictly
> > > > required, it is nice to refer users to the proper way to change
> > passwords in
> > > > our environment.
> > >
> > > Currently there is only a configurable message if password resets by
> > > root fail. I have added https://fedorahosted.org/sssd/ticket/569 to
> > > track this.
> > >
> > > bye,
> > > Sumit
> > >
> > > >
> > > > Any help would be appreciated. Thanks!
> > > >
> > > > Scott Duckworth, Systems Programmer II
> > > > Clemson University School of Computing
> > >
> > > > _______________________________________________
> > > > Freeipa-users mailing list
> > > > Freeipa-users at redhat.com
> > > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > >
> > > _______________________________________________
> > > Freeipa-users mailing list
> > > Freeipa-users at redhat.com
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
More information about the Freeipa-users
mailing list