[Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode
Bobby Prins
bobby.prins at proxy.nl
Fri Apr 3 12:15:02 UTC 2015
>----- Oorspronkelijk bericht -----
>Van: "Alexander Bokovoy" <abokovoy at redhat.com>
>Aan: "Bobby Prins" <bobby.prins at proxy.nl>
>Cc: dpal at redhat.com, freeipa-users at redhat.com
>Verzonden: Vrijdag 3 april 2015 12:45:07
>Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode
>
>On Fri, 03 Apr 2015, Bobby Prins wrote:
>>>> On Mar 24, 2015, at 17:11, Dmitri Pal <dpal at redhat.com> wrote:
>>>>
>>>> Seems like 15 sec timeout on the AIX side.
>>>> Can you try with a user that does not have that many groups and see if that works?
>>>> If it does then we should assume it is an AIX side timeout and focus on making sure the data gets over to IPA within this timeout.
>>>I need to do some more testing.. Did not have a lot of time today, but I tried to authenticate with an AD user against the compact tree using a Linux client with pam_ldap. I was able to log in but this would take up to a minute or so. I’m still waiting for my AD test account with lesser group memberships.
>>>>
>>>> --
>>>> Thank you,
>>>> Dmitri Pal
>>>>
>>>> Sr. Engineering Manager IdM portfolio
>>>> Red Hat, Inc.
>>>>
>>So I finally found some time to do extra tests. I now have an AD
>>account with lesser group memberships which seems to speed up the login
>>process (with Linux LDAP auth against the compat tree), but still no
>>success on AIX. Did some more digging and it looks like AIX invalidates
>>the user before it even is authenticated. The output below shows the
>>lookup that is performed after I enter the username en press enter
>>(before entering the password).
>>
>>access:
>>[03/Apr/2015:11:58:47 +0200] conn=5950 fd=68 slot=68 connection from 192.168.140.107 to 192.168.140.133
>>[03/Apr/2015:11:58:47 +0200] conn=5950 op=0 BIND dn="" method=128 version=3
>>[03/Apr/2015:11:58:47 +0200] conn=5950 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
>>[03/Apr/2015:11:59:04 +0200] conn=5950 op=1 SRCH base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 filter="(&(objectClass=posixaccount)(uid=bprins at example.corp))" attrs=ALL
>>[03/Apr/2015:11:59:04 +0200] conn=5950 op=1 RESULT err=0 tag=101 nentries=1 etime=0
>>[03/Apr/2015:11:59:04 +0200] conn=5950 op=2 SRCH base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 filter="(&(objectClass=posixaccount)(uid=bprins))" attrs=ALL
>>[03/Apr/2015:11:59:04 +0200] conn=5950 op=2 RESULT err=0 tag=101 nentries=0 etime=0
>Above there are two lookups:
>
>- successful lookup for user bprings at example.com
>- unsuccessful lookup for user bprins
>
>What is causing to perform a lookup without @example.com? Compat tree
>presents AD users fully qualified, it is the only way it knows to
>trigger lookup via SSSD on IPA master for these users (because non-fully
>qualified users are in IPA LDAP tree already and copied to compat tree
>automatically).
>--
>/ Alexander Bokovoy
This seems to be (standard?) behaviour of the AIX LDAP client. Did some more tests with different accounts and always see the two lookups. I doubt if I can influence that..
More information about the Freeipa-users
mailing list