>----- Oorspronkelijk bericht ----- >Van: "Alexander Bokovoy" <[email protected]> >Aan: "Bobby Prins" <[email protected]> >Cc: [email protected], [email protected] >Verzonden: Vrijdag 3 april 2015 12:45:07 >Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in >ipa_server_mode > >On Fri, 03 Apr 2015, Bobby Prins wrote: >>>> On Mar 24, 2015, at 17:11, Dmitri Pal <[email protected]> wrote: >>>> >>>> Seems like 15 sec timeout on the AIX side. >>>> Can you try with a user that does not have that many groups and see if >>>> that works? >>>> If it does then we should assume it is an AIX side timeout and focus on >>>> making sure the data gets over to IPA within this timeout. >>>I need to do some more testing.. Did not have a lot of time today, but I >>>tried to authenticate with an AD user against the compact tree using a Linux >>>client with pam_ldap. I was able to log in but this would take up to a >>>minute or so. I’m still waiting for my AD test account with lesser group >>>memberships. >>>> >>>> -- >>>> Thank you, >>>> Dmitri Pal >>>> >>>> Sr. Engineering Manager IdM portfolio >>>> Red Hat, Inc. >>>> >>So I finally found some time to do extra tests. I now have an AD >>account with lesser group memberships which seems to speed up the login >>process (with Linux LDAP auth against the compat tree), but still no >>success on AIX. Did some more digging and it looks like AIX invalidates >>the user before it even is authenticated. The output below shows the >>lookup that is performed after I enter the username en press enter >>(before entering the password). >> >>access: >>[03/Apr/2015:11:58:47 +0200] conn=5950 fd=68 slot=68 connection from >>192.168.140.107 to 192.168.140.133 >>[03/Apr/2015:11:58:47 +0200] conn=5950 op=0 BIND dn="" method=128 version=3 >>[03/Apr/2015:11:58:47 +0200] conn=5950 op=0 RESULT err=0 tag=97 nentries=0 >>etime=0 dn="" >>[03/Apr/2015:11:59:04 +0200] conn=5950 op=1 SRCH >>base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 >>filter="(&(objectClass=posixaccount)([email protected]))" attrs=ALL >>[03/Apr/2015:11:59:04 +0200] conn=5950 op=1 RESULT err=0 tag=101 nentries=1 >>etime=0 >>[03/Apr/2015:11:59:04 +0200] conn=5950 op=2 SRCH >>base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 >>filter="(&(objectClass=posixaccount)(uid=bprins))" attrs=ALL >>[03/Apr/2015:11:59:04 +0200] conn=5950 op=2 RESULT err=0 tag=101 nentries=0 >>etime=0 >Above there are two lookups: > >- successful lookup for user [email protected] >- unsuccessful lookup for user bprins > >What is causing to perform a lookup without @example.com? Compat tree >presents AD users fully qualified, it is the only way it knows to >trigger lookup via SSSD on IPA master for these users (because non-fully >qualified users are in IPA LDAP tree already and copied to compat tree >automatically). >-- >/ Alexander Bokovoy This seems to be (standard?) behaviour of the AIX LDAP client. Did some more tests with different accounts and always see the two lookups. I doubt if I can influence that..
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
