[Freeipa-users] FreeIPA user can't login to linux.

zhiyong xue Sun, 15 Nov 2015 19:07:36 -0800

We integrated the Apache Syncope server with FreeIPA server. So user can
self register ID from Apache Syncope then synchronize to FreeIPA. The
problems are:
*1) User created from Apache Syncope can't login to linux. The user created
from FreeIPA web gui works well.*


This is the user(syncopex5) information created from Apache Syncope:
# syncopex5, users, compat, example.com
dn: uid=syncopex5,cn=users,cn=compat,dc=example,dc=com
cn: x5syncope
objectClass: posixAccount
objectClass: top
gidNumber: 657600034
gecos: x5syncope
uidNumber: 657600034
loginShell: /bin/sh
homeDirectory: /home/syncopex5
uid: syncopex5

# syncopex5, users, accounts, example.com
dn: uid=syncopex5,cn=users,cn=accounts,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixAccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
cn: x5syncope
displayName: x5syncope
uid: syncopex5
gecos: x5syncope
uidNumber: 657600034
gidNumber: 657600034
loginShell: /bin/sh
homeDirectory: /home/syncopex5
sn: syncope
givenName: x5
initials: xs

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

*2) The user also can't be deleted from web UI and CLI. It said "syncopex5:
user not found".*
*The errors log:*
[13/Nov/2015:07:27:54 +0000] DSRetroclPlugin - delete_changerecord: could
not delete change record 4130 (rc: 32)
[13/Nov/2015:07:27:54 +0000] DSRetroclPlugin - delete_changerecord: could
not delete change record 4131 (rc: 32)
[13/Nov/2015:07:27:54 +0000] DSRetroclPlugin - delete_changerecord: could
not delete change record 4221 (rc: 32)
[13/Nov/2015:07:27:54 +0000] DSRetroclPlugin - delete_changerecord: could
not delete change record 4222 (rc: 32)
[13/Nov/2015:07:27:55 +0000] DSRetroclPlugin - delete_changerecord: could
not delete change record 4353 (rc: 32)
[13/Nov/2015:07:27:55 +0000] DSRetroclPlugin - delete_changerecord: could
not delete change record 4354 (rc: 32)
[15/Nov/2015:07:27:53 +0000] DSRetroclPlugin - delete_changerecord: could
not delete change record 5129 (rc: 32)
[15/Nov/2015:07:27:53 +0000] DSRetroclPlugin - delete_changerecord: could
not delete change record 5130 (rc: 32)
[15/Nov/2015:07:27:53 +0000] DSRetroclPlugin - delete_changerecord: could
not delete change record 5155 (rc: 32)
[15/Nov/2015:07:27:53 +0000] DSRetroclPlugin - delete_changerecord: could
not delete change record 5156 (rc: 32)
[16/Nov/2015:02:52:59 +0000] managed-entries-plugin - mep_del_post_op:
failed to delete managed entry
(member=syncopex5,cn=groups,cn=accounts,dc=example,dc=com) - error (32)
[16/Nov/2015:02:52:59 +0000] managed-entries-plugin - mep_del_post_op:
failed to delete managed entry
(member=syncopex5,cn=groups,cn=accounts,dc=example,dc=com) - error (32)

*The access log:*
[16/Nov/2015:02:52:50 +0000] conn=5512 op=36 UNBIND
[16/Nov/2015:02:52:50 +0000] conn=5512 op=36 fd=621 closed - U1
[16/Nov/2015:02:52:59 +0000] conn=5513 fd=621 slot=621 connection from
192.168.10.39 to 192.168.10.39
[16/Nov/2015:02:52:59 +0000] conn=5513 op=0 BIND dn="" method=sasl
version=3 mech=GSSAPI
[16/Nov/2015:02:52:59 +0000] conn=5513 op=0 RESULT err=14 tag=97 nentries=0
etime=0, SASL bind in progress
[16/Nov/2015:02:52:59 +0000] conn=5513 op=1 BIND dn="" method=sasl
version=3 mech=GSSAPI
[16/Nov/2015:02:52:59 +0000] conn=5513 op=1 RESULT err=14 tag=97 nentries=0
etime=0, SASL bind in progress
[16/Nov/2015:02:52:59 +0000] conn=5513 op=2 BIND dn="" method=sasl
version=3 mech=GSSAPI
[16/Nov/2015:02:52:59 +0000] conn=5513 op=2 RESULT err=0 tag=97 nentries=0
etime=0 dn="uid=admin,cn=users,cn=accounts,dc=example,dc=com"
[16/Nov/2015:02:52:59 +0000] conn=5513 op=3 SRCH
base="cn=ipaconfig,cn=etc,dc=example,dc=com" scope=0
filter="(objectClass=*)" attrs=ALL
[16/Nov/2015:02:52:59 +0000] conn=5513 op=3 RESULT err=0 tag=101 nentries=1
etime=0
[16/Nov/2015:02:52:59 +0000] conn=5513 op=4 SRCH
base="cn=users,cn=accounts,dc=example,dc=com" scope=1
filter="(&(objectClass=posixaccount)(memberOf=cn=admins,cn=groups,cn=accounts,dc=example,dc=com))"
attrs="telephoneNumber sshpubkeyfp uid title loginShell uidNumber gidNumber
sn homeDirectory mail givenName nsAccountLock"
[16/Nov/2015:02:52:59 +0000] conn=5513 op=4 RESULT err=0 tag=101 nentries=1
etime=0
[16/Nov/2015:02:52:59 +0000] conn=5513 op=5 SRCH
base="uid=admin,cn=users,cn=accounts,dc=example,dc=com" scope=0
filter="(userPassword=*)" attrs="userPassword"
[16/Nov/2015:02:52:59 +0000] conn=5513 op=5 RESULT err=0 tag=101 nentries=1
etime=0
[16/Nov/2015:02:52:59 +0000] conn=5513 op=6 SRCH
base="uid=admin,cn=users,cn=accounts,dc=example,dc=com" scope=0
filter="(krbPrincipalKey=*)" attrs="krbPrincipalKey"
[16/Nov/2015:02:52:59 +0000] conn=5513 op=6 RESULT err=0 tag=101 nentries=1
etime=0
[16/Nov/2015:02:52:59 +0000] conn=5513 op=7 SRCH
base="uid=admin,cn=users,cn=accounts,dc=example,dc=com" scope=0
filter="(objectClass=*)" attrs="ipaSshPubKey"
[16/Nov/2015:02:52:59 +0000] conn=5513 op=7 RESULT err=0 tag=101 nentries=1
etime=0
[16/Nov/2015:02:52:59 +0000] conn=5513 op=8 SRCH
base="cn=users,cn=accounts,dc=example,dc=com" scope=2
filter="(&(objectClass=posixaccount)(uid=syncopex5))" attrs=""
[16/Nov/2015:02:52:59 +0000] conn=5513 op=8 RESULT err=0 tag=101 nentries=1
etime=0
[16/Nov/2015:02:52:59 +0000] conn=5513 op=9 SRCH
base="cn=otp,dc=example,dc=com" scope=1
filter="(&(objectClass=ipatoken)(ipatokenOwner=uid=syncopex5,cn=users,cn=accounts,dc=example,dc=com))"
attrs="ipatokenNotAfter description ipatokenOwner objectClass
ipatokenDisabled ipatokenVendor managedBy ipatokenModel ipatokenNotBefore
ipatokenUniqueID ipatokenSerial"
[16/Nov/2015:02:52:59 +0000] conn=5513 op=9 RESULT err=0 tag=101 nentries=0
etime=0
[16/Nov/2015:02:52:59 +0000] conn=5513 op=10 DEL
dn="uid=syncopex5,cn=users,cn=accounts,dc=example,dc=com"
[16/Nov/2015:02:52:59 +0000] conn=5513 op=10 RESULT err=32 tag=107
nentries=0 etime=0
[16/Nov/2015:02:52:59 +0000] conn=5513 op=11 UNBIND
[16/Nov/2015:02:52:59 +0000] conn=5513 op=11 fd=621 closed - U1
[16/Nov/2015:02:53:10 +0000] conn=13 op=3705 SRCH
base="ou=sessions,ou=Security Domain,o=ipaca" scope=2
filter="(objectClass=securityDomainSessionEntry)" attrs="cn"
[16/Nov/2015:02:53:10 +0000] conn=13 op=3705 RESULT err=32 tag=101
nentries=0 etime=0

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA user can't login to linux.

Reply via email to