Despite the fact that we selected "Generic LDAP" rather than "Active Directory", it is still looking for Security Groups and Organization Units.
Thanks. ______________________________________________________________________________________________
Daniel E. White daniel.e.white@nasa.govmailto:daniel.e.white@nasa.gov NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290
White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote:
Despite the fact that we selected "Generic LDAP" rather than "Active Directory", it is still looking for Security Groups and Organization Units.
I've never used it and couldn't find much in their docs. Do you have more information on what the configuration screen looks like and what the 389-ds access log is showing?
rob
Finally found a reference: https://docs.microfocus.com/itom/Network_Node_Manager_i:10.50/Administer/NNM...
<roleSearch> Placeholder element to include the user role information. <roleBase>member={1}</roleBase> Replace member with the name of the group attribute that stores the directory service user ID in the directory service domain. <roleContextDN> </roleContextDN> Specify the portion of the directory service domain that stores group records. The format is a comma-separated list of directory service attribute names and values. For example: For Microsoft Active Directory CN=Users,DC=ldapserver,DC=mycompany,DC=com For other LDAP technologies ou=Groups,o=example.com </roleSearch>
FreeIPA/IdM does not support OU's https://pagure.io/freeipa/issue/2973
FWIW, Rob, you closed that RFE
Any suggestions other than to gripe to the other vendor ? ______________________________________________________________________________________________
Daniel E. White daniel.e.white@nasa.govmailto:daniel.e.white@nasa.gov NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290
From: Rob Crittenden rcritten@redhat.com Date: Wednesday, December 4, 2019 at 17:55 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Daniel White daniel.e.white@nasa.gov Subject: [EXTERNAL] Re: [Freeipa-users] Anyone using FreeIPA/IdM and MicroFocus Network Automation ?
White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote: Despite the fact that we selected "Generic LDAP" rather than "Active Directory", it is still looking for Security Groups and Organization Units.
I've never used it and couldn't find much in their docs. Do you have more information on what the configuration screen looks like and what the 389-ds access log is showing?
rob
White, Daniel E. (GSFC-770.0)[NICS] wrote:
Finally found a reference: https://docs.microfocus.com/itom/Network_Node_Manager_i:10.50/Administer/NNM...
<roleSearch>
Placeholder element to include the user role information.
<roleBase>/member/={1}</roleBase>
Replace /member/ with the name of the group attribute that stores the directory service user ID in the directory service domain.
<roleContextDN>
</roleContextDN>
Specify the portion of the directory service domain that stores group records.
The format is a comma-separated list of directory service attribute names and values. For example:
/For Microsoft Active Directory/
CN=Users,DC=ldapserver,DC=mycompany,DC=com
/For other LDAP technologies/
ou=Groups,o=/example/.com
</roleSearch>
My gosh their documentation is...interesting.
For the domain example.test you'd use the following configuration:
Users are stored in cn=users,cn=accounts,dc=example,dc=test Groups are stored in cn=groups,cn=accounts,dc=example,dc=test
Groups use the member attribute.
Users use memberof.
Note too that I saw in their documentation that the administrator user account must be unique. IPA uses the account 'admin' just like MNA, so be aware that one side will need to be changed.
FreeIPA/IdM does not support OU's
https://pagure.io/freeipa/issue/2973
FWIW, Rob, you closed that RFE
IPA uses a flat tree. Lots of LDAP admins over the years have tried to reflect an company's organization using OU's with "interesting" results, particularly as teams are re-organized, acquisitions, etc. You end up moving entries around for artificial reasons (Tech Support is now called Global User Support, rename the OU tomorrow).
rob
Any suggestions other than to gripe to the other vendor ?
*______________________________________________________________________________________________*
* *
*Daniel E. White** **daniel.e.white@nasa.gov mailto:daniel.e.white@nasa.gov***
*NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771***
*Office: (301) 286-6919***
*Mobile: (240) 513-5290*
*From: *Rob Crittenden rcritten@redhat.com *Date: *Wednesday, December 4, 2019 at 17:55 *To: *FreeIPA users list freeipa-users@lists.fedorahosted.org *Cc: *Daniel White daniel.e.white@nasa.gov *Subject: *[EXTERNAL] Re: [Freeipa-users] Anyone using FreeIPA/IdM and MicroFocus Network Automation ?
White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote:
Despite the fact that we selected "Generic LDAP" rather than "Active Directory", it is still looking for Security Groups and Organization Units.
I've never used it and couldn't find much in their docs. Do you have
more information on what the configuration screen looks like and what
the 389-ds access log is showing?
rob
Thanks, Rob.
I will give it a try.
I made a posix group to use for application access - call it "nnmi_access"
I can ldapsearch using
(&(objectclass=groupofnames)(cn=nnmi_access)) member
and get back the members of the group like this: member: uid=foobar,cn=users,cn=accounts,dc=…
So then the roleBase is "member". but what should the roleContextDN be ? Maybe cn-nnmi-access,cn=groups,…,dc=… ? ______________________________________________________________________________________________
Daniel E. White daniel.e.white@nasa.govmailto:daniel.e.white@nasa.gov NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290
From: Rob Crittenden rcritten@redhat.com Date: Thursday, December 5, 2019 at 13:33 To: Daniel White daniel.e.white@nasa.gov, FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: Re: [EXTERNAL] Re: [Freeipa-users] Anyone using FreeIPA/IdM and MicroFocus Network Automation ?
White, Daniel E. (GSFC-770.0)[NICS] wrote: Finally found a reference: https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.microfocus.com_ito...
<roleSearch>
Placeholder element to include the user role information. <roleBase>/member/={1}</roleBase>
Replace /member/ with the name of the group attribute that stores the directory service user ID in the directory service domain. <roleContextDN> </roleContextDN>
Specify the portion of the directory service domain that stores group records. The format is a comma-separated list of directory service attribute names and values. For example: /For Microsoft Active Directory/ CN=Users,DC=ldapserver,DC=mycompany,DC=com /For other LDAP technologies/ ou=Groups,o=/example/.com </roleSearch>
My gosh their documentation is...interesting.
For the domain example.test you'd use the following configuration:
Users are stored in cn=users,cn=accounts,dc=example,dc=test Groups are stored in cn=groups,cn=accounts,dc=example,dc=test
Groups use the member attribute.
Users use memberof.
Note too that I saw in their documentation that the administrator user account must be unique. IPA uses the account 'admin' just like MNA, so be aware that one side will need to be changed.
FreeIPA/IdM does not support OU's https://urldefense.proofpoint.com/v2/url?u=https-3A__pagure.io_freeipa_issue...
FWIW, Rob, you closed that RFE
IPA uses a flat tree. Lots of LDAP admins over the years have tried to reflect an company's organization using OU's with "interesting" results, particularly as teams are re-organized, acquisitions, etc. You end up moving entries around for artificial reasons (Tech Support is now called Global User Support, rename the OU tomorrow).
rob
Any suggestions other than to gripe to the other vendor ?
*______________________________________________________________________________________________* * * *Daniel E. White** **daniel.e.white@nasa.govmailto:**daniel.e.white@nasa.gov mailto:daniel.e.white@nasa.gov***mailto:daniel.e.white@nasa.gov%3e*** *NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771*** *Office: (301) 286-6919*** *Mobile: (240) 513-5290*
*From: *Rob Crittenden <rcritten@redhat.commailto:rcritten@redhat.com> *Date: *Wednesday, December 4, 2019 at 17:55 *To: *FreeIPA users list <freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org> *Cc: *Daniel White <daniel.e.white@nasa.govmailto:daniel.e.white@nasa.gov> *Subject: *[EXTERNAL] Re: [Freeipa-users] Anyone using FreeIPA/IdM and MicroFocus Network Automation ?
White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote: Despite the fact that we selected "Generic LDAP" rather than "Active Directory", it is still looking for Security Groups and Organization Units.
I've never used it and couldn't find much in their docs. Do you have more information on what the configuration screen looks like and what the 389-ds access log is showing?
rob
The DN that pops out for the group is
cn=nnmi_access,cn=groups,cn=compat(not accounts),dc=…
Is this a problem / issue / reason to panic ? ______________________________________________________________________________________________
Daniel E. White daniel.e.white@nasa.govmailto:daniel.e.white@nasa.gov NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290
From: "White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users" freeipa-users@lists.fedorahosted.org Reply-To: FreeIPA users list freeipa-users@lists.fedorahosted.org Date: Thursday, December 5, 2019 at 14:04 To: Rob Crittenden rcritten@redhat.com, FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Daniel White daniel.e.white@nasa.gov Subject: [Freeipa-users] Re: [EXTERNAL] Re: Anyone using FreeIPA/IdM and MicroFocus Network Automation ?
Thanks, Rob.
I will give it a try.
I made a posix group to use for application access - call it "nnmi_access"
I can ldapsearch using
(&(objectclass=groupofnames)(cn=nnmi_access)) member
and get back the members of the group like this: member: uid=foobar,cn=users,cn=accounts,dc=…
So then the roleBase is "member". but what should the roleContextDN be ? Maybe cn-nnmi-access,cn=groups,…,dc=… ? ______________________________________________________________________________________________
Daniel E. White daniel.e.white@nasa.govmailto:daniel.e.white@nasa.gov NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290
From: Rob Crittenden rcritten@redhat.com Date: Thursday, December 5, 2019 at 13:33 To: Daniel White daniel.e.white@nasa.gov, FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: Re: [EXTERNAL] Re: [Freeipa-users] Anyone using FreeIPA/IdM and MicroFocus Network Automation ?
White, Daniel E. (GSFC-770.0)[NICS] wrote: Finally found a reference: https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.microfocus.com_ito...
<roleSearch>
Placeholder element to include the user role information. <roleBase>/member/={1}</roleBase>
Replace /member/ with the name of the group attribute that stores the directory service user ID in the directory service domain. <roleContextDN> </roleContextDN>
Specify the portion of the directory service domain that stores group records. The format is a comma-separated list of directory service attribute names and values. For example: /For Microsoft Active Directory/ CN=Users,DC=ldapserver,DC=mycompany,DC=com /For other LDAP technologies/ ou=Groups,o=/example/.com </roleSearch>
My gosh their documentation is...interesting.
For the domain example.test you'd use the following configuration:
Users are stored in cn=users,cn=accounts,dc=example,dc=test Groups are stored in cn=groups,cn=accounts,dc=example,dc=test
Groups use the member attribute.
Users use memberof.
Note too that I saw in their documentation that the administrator user account must be unique. IPA uses the account 'admin' just like MNA, so be aware that one side will need to be changed.
FreeIPA/IdM does not support OU's https://urldefense.proofpoint.com/v2/url?u=https-3A__pagure.io_freeipa_issue...
FWIW, Rob, you closed that RFE
IPA uses a flat tree. Lots of LDAP admins over the years have tried to reflect an company's organization using OU's with "interesting" results, particularly as teams are re-organized, acquisitions, etc. You end up moving entries around for artificial reasons (Tech Support is now called Global User Support, rename the OU tomorrow).
rob
Any suggestions other than to gripe to the other vendor ?
*______________________________________________________________________________________________* * * *Daniel E. White** **daniel.e.white@nasa.govmailto:**daniel.e.white@nasa.gov mailto:daniel.e.white@nasa.gov***mailto:daniel.e.white@nasa.gov%3e*** *NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771*** *Office: (301) 286-6919*** *Mobile: (240) 513-5290*
*From: *Rob Crittenden <rcritten@redhat.commailto:rcritten@redhat.com> *Date: *Wednesday, December 4, 2019 at 17:55 *To: *FreeIPA users list <freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org> *Cc: *Daniel White <daniel.e.white@nasa.govmailto:daniel.e.white@nasa.gov> *Subject: *[EXTERNAL] Re: [Freeipa-users] Anyone using FreeIPA/IdM and MicroFocus Network Automation ?
White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote: Despite the fact that we selected "Generic LDAP" rather than "Active Directory", it is still looking for Security Groups and Organization Units.
I've never used it and couldn't find much in their docs. Do you have more information on what the configuration screen looks like and what the 389-ds access log is showing?
rob
White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote:
The DN that pops out for the group is
cn=nnmi_access,cn=groups,cn=compat(not accounts),dc=…
Is this a problem / issue / reason to panic ?
Use cn=accounts.
IPA uses RFC2307bis internally. For compatibility IPA there is a translation later to represent the data as RFC2307. That is cn=compat.
rob
*______________________________________________________________________________________________*
* *
*Daniel E. White** **daniel.e.white@nasa.gov mailto:daniel.e.white@nasa.gov***
*NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771***
*Office: (301) 286-6919***
*Mobile: (240) 513-5290*
*From: *"White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users" freeipa-users@lists.fedorahosted.org *Reply-To: *FreeIPA users list freeipa-users@lists.fedorahosted.org *Date: *Thursday, December 5, 2019 at 14:04 *To: *Rob Crittenden rcritten@redhat.com, FreeIPA users list freeipa-users@lists.fedorahosted.org *Cc: *Daniel White daniel.e.white@nasa.gov *Subject: *[Freeipa-users] Re: [EXTERNAL] Re: Anyone using FreeIPA/IdM and MicroFocus Network Automation ?
Thanks, Rob.
I will give it a try.
I made a posix group to use for application access - call it "nnmi_access"
I can ldapsearch using
(&(objectclass=groupofnames)(cn=nnmi_access)) member
and get back the members of the group like this:
member: uid=foobar,cn=users,cn=accounts,dc=…
So then the roleBase is "member". but what should the roleContextDN be ?
Maybe cn-nnmi-access,cn=groups,…,dc=… ?
*______________________________________________________________________________________________*
* *
*Daniel E. White daniel.e.white@nasa.gov mailto:daniel.e.white@nasa.gov*
*NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771*
*Office: (301) 286-6919*
*Mobile: (240) 513-5290*
*From: *Rob Crittenden rcritten@redhat.com *Date: *Thursday, December 5, 2019 at 13:33 *To: *Daniel White daniel.e.white@nasa.gov, FreeIPA users list freeipa-users@lists.fedorahosted.org *Subject: *Re: [EXTERNAL] Re: [Freeipa-users] Anyone using FreeIPA/IdM and MicroFocus Network Automation ?
White, Daniel E. (GSFC-770.0)[NICS] wrote:
Finally found a reference: https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.microfocus.com_itom_Network-5FNode-5FManager-5Fi-3A10.50_Administer_NNMi-5FDeployment_Advanced-5FConfigurations_Deploy-5FLDAP-23Task5&d=DwIFaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=ef_FKlWa7jWGmQqTrjkcoDY1VuVtcI_10ClISjA3_V8&m=-vUmbBnoTfNI-zKnzWW6m6uqDV7j73rvQYUz80xu5eQ&s=1uIsloZkAjEvieT-PMk8o_r4bo428Biq2IMkxG7hCZ0&e= <roleSearch> Placeholder element to include the user role information. <roleBase>/member/={1}</roleBase> Replace /member/ with the name of the group attribute that stores the directory service user ID in the directory service domain. <roleContextDN> </roleContextDN> Specify the portion of the directory service domain that stores group records. The format is a comma-separated list of directory service attribute names and values. For example: /For Microsoft Active Directory/ CN=Users,DC=ldapserver,DC=mycompany,DC=com /For other LDAP technologies/ ou=Groups,o=/example/.com </roleSearch>
My gosh their documentation is...interesting.
For the domain example.test you'd use the following configuration:
Users are stored in cn=users,cn=accounts,dc=example,dc=test
Groups are stored in cn=groups,cn=accounts,dc=example,dc=test
Groups use the member attribute.
Users use memberof.
Note too that I saw in their documentation that the administrator user
account must be unique. IPA uses the account 'admin' just like MNA, so
be aware that one side will need to be changed.
FreeIPA/IdM does not support OU's https://urldefense.proofpoint.com/v2/url?u=https-3A__pagure.io_freeipa_issue_2973&d=DwIFaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=ef_FKlWa7jWGmQqTrjkcoDY1VuVtcI_10ClISjA3_V8&m=-vUmbBnoTfNI-zKnzWW6m6uqDV7j73rvQYUz80xu5eQ&s=E4NjjvntHCD2Y-RmDMQn63BHNs0DF4FV47TfK9r62i4&e= FWIW, Rob, you closed that RFE
IPA uses a flat tree. Lots of LDAP admins over the years have tried to
reflect an company's organization using OU's with "interesting" results,
particularly as teams are re-organized, acquisitions, etc. You end up
moving entries around for artificial reasons (Tech Support is now called
Global User Support, rename the OU tomorrow).
rob
Any suggestions other than to gripe to the other vendor ?
*______________________________________________________________________________________________* * * *Daniel E. White** **daniel.e.white@nasa.gov <mailto:**daniel.e.white@nasa.gov> <mailto:daniel.e.white@nasa.gov>*** <mailto:daniel.e.white@nasa.gov%3e***> *NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771*** *Office: (301) 286-6919*** *Mobile: (240) 513-5290* *From: *Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com>> *Date: *Wednesday, December 4, 2019 at 17:55 *To: *FreeIPA users list <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> *Cc: *Daniel White <daniel.e.white@nasa.gov <mailto:daniel.e.white@nasa.gov>> *Subject: *[EXTERNAL] Re: [Freeipa-users] Anyone using FreeIPA/IdM and MicroFocus Network Automation ? White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote: Despite the fact that we selected "Generic LDAP" rather than "Active Directory", it is still looking for Security Groups and Organization Units. I've never used it and couldn't find much in their docs. Do you have more information on what the configuration screen looks like and what the 389-ds access log is showing? rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
White, Daniel E. (GSFC-770.0)[NICS] wrote:
Thanks, Rob.
I will give it a try.
I made a posix group to use for application access - call it "nnmi_access"
I can ldapsearch using
(&(objectclass=groupofnames)(cn=nnmi_access)) member
and get back the members of the group like this:
member: uid=foobar,cn=users,cn=accounts,dc=…
So then the roleBase is "member". but what should the roleContextDN be ?
Maybe cn-nnmi-access,cn=groups,…,dc=… ?
That's the way I read their docs as well. I guess it won't hurt trying.
rob
*______________________________________________________________________________________________*
* *
*Daniel E. White** **daniel.e.white@nasa.gov mailto:daniel.e.white@nasa.gov***
*NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771***
*Office: (301) 286-6919***
*Mobile: (240) 513-5290*
*From: *Rob Crittenden rcritten@redhat.com *Date: *Thursday, December 5, 2019 at 13:33 *To: *Daniel White daniel.e.white@nasa.gov, FreeIPA users list freeipa-users@lists.fedorahosted.org *Subject: *Re: [EXTERNAL] Re: [Freeipa-users] Anyone using FreeIPA/IdM and MicroFocus Network Automation ?
White, Daniel E. (GSFC-770.0)[NICS] wrote:
Finally found a reference: https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.microfocus.com_itom_Network-5FNode-5FManager-5Fi-3A10.50_Administer_NNMi-5FDeployment_Advanced-5FConfigurations_Deploy-5FLDAP-23Task5&d=DwIFaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=ef_FKlWa7jWGmQqTrjkcoDY1VuVtcI_10ClISjA3_V8&m=-vUmbBnoTfNI-zKnzWW6m6uqDV7j73rvQYUz80xu5eQ&s=1uIsloZkAjEvieT-PMk8o_r4bo428Biq2IMkxG7hCZ0&e= <roleSearch> Placeholder element to include the user role information. <roleBase>/member/={1}</roleBase> Replace /member/ with the name of the group attribute that stores the directory service user ID in the directory service domain. <roleContextDN> </roleContextDN> Specify the portion of the directory service domain that stores group records. The format is a comma-separated list of directory service attribute names and values. For example: /For Microsoft Active Directory/ CN=Users,DC=ldapserver,DC=mycompany,DC=com /For other LDAP technologies/ ou=Groups,o=/example/.com </roleSearch>
My gosh their documentation is...interesting.
For the domain example.test you'd use the following configuration:
Users are stored in cn=users,cn=accounts,dc=example,dc=test
Groups are stored in cn=groups,cn=accounts,dc=example,dc=test
Groups use the member attribute.
Users use memberof.
Note too that I saw in their documentation that the administrator user
account must be unique. IPA uses the account 'admin' just like MNA, so
be aware that one side will need to be changed.
FreeIPA/IdM does not support OU's https://urldefense.proofpoint.com/v2/url?u=https-3A__pagure.io_freeipa_issue_2973&d=DwIFaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=ef_FKlWa7jWGmQqTrjkcoDY1VuVtcI_10ClISjA3_V8&m=-vUmbBnoTfNI-zKnzWW6m6uqDV7j73rvQYUz80xu5eQ&s=E4NjjvntHCD2Y-RmDMQn63BHNs0DF4FV47TfK9r62i4&e= FWIW, Rob, you closed that RFE
IPA uses a flat tree. Lots of LDAP admins over the years have tried to
reflect an company's organization using OU's with "interesting" results,
particularly as teams are re-organized, acquisitions, etc. You end up
moving entries around for artificial reasons (Tech Support is now called
Global User Support, rename the OU tomorrow).
rob
Any suggestions other than to gripe to the other vendor ?
*______________________________________________________________________________________________* * * *Daniel E. White** **daniel.e.white@nasa.gov <mailto:**daniel.e.white@nasa.gov> <mailto:daniel.e.white@nasa.gov>*** <mailto:daniel.e.white@nasa.gov%3e***> *NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771*** *Office: (301) 286-6919*** *Mobile: (240) 513-5290* *From: *Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com>> *Date: *Wednesday, December 4, 2019 at 17:55 *To: *FreeIPA users list <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> *Cc: *Daniel White <daniel.e.white@nasa.gov <mailto:daniel.e.white@nasa.gov>> *Subject: *[EXTERNAL] Re: [Freeipa-users] Anyone using FreeIPA/IdM and MicroFocus Network Automation ? White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote: Despite the fact that we selected "Generic LDAP" rather than "Active Directory", it is still looking for Security Groups and Organization Units. I've never used it and couldn't find much in their docs. Do you have more information on what the configuration screen looks like and what the 389-ds access log is showing? rob
We set roleContextDN to cn=nnmi-access
And it still barfs, but I found stuff in the access log file: (redacted a bit)
[06/Dec/2019:12:49:18.055641820 +0000] conn=2805 fd=110 slot=110 connection from NNMi-Server to IdM-Server [06/Dec/2019:12:49:18.055983514 +0000] conn=2805 op=0 BIND dn="" method=128 version=3 [06/Dec/2019:12:49:18.056068589 +0000] conn=2805 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0000264910 dn="" [06/Dec/2019:12:49:18.060407586 +0000] conn=2805 op=1 SRCH base="cn=users,cn=compat,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG" scope=2 filter="(uid=USER)" attrs="distinguishedName" [06/Dec/2019:12:49:18.060803785 +0000] conn=2805 op=1 RESULT err=0 tag=101 nentries=1 etime=0.0000453635 [06/Dec/2019:12:49:18.061436537 +0000] conn=2806 fd=125 slot=125 connection from NNMi-Server to IdM-Server [06/Dec/2019:12:49:18.061707766 +0000] conn=2806 op=0 BIND dn="" method=128 version=3 [06/Dec/2019:12:49:18.061784637 +0000] conn=2806 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0000187246 dn="" [06/Dec/2019:12:49:18.066780892 +0000] conn=2806 op=1 SRCH base="cn=users,cn=compat,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG" scope=2 filter="(uid=USER)" attrs="distinguishedName" [06/Dec/2019:12:49:18.067161659 +0000] conn=2806 op=1 RESULT err=0 tag=101 nentries=1 etime=0.0000428881 [06/Dec/2019:12:49:18.067812476 +0000] conn=2807 fd=128 slot=128 connection from NNMi-Server to IdM-Server [06/Dec/2019:12:49:18.068098286 +0000] conn=2807 op=0 BIND dn="" method=128 version=3 [06/Dec/2019:12:49:18.068165707 +0000] conn=2807 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0000161713 dn="" [06/Dec/2019:12:49:18.071528890 +0000] conn=2807 op=1 SRCH base="cn=nnmi_access" scope=2 filter="(member=uid=USER,cn=users,cn=compat,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG)" attrs="1.1" [06/Dec/2019:12:49:18.071562192 +0000] conn=2807 op=1 RESULT err=32 tag=101 nentries=0 etime=0.0000074662 [06/Dec/2019:12:49:18.072926385 +0000] conn=2807 op=2 SRCH base="cn=nnmi_access" scope=2 filter="(groupmember=uid=USER,cn=users,cn=compat,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG)" attrs="1.1" [06/Dec/2019:12:49:18.072953042 +0000] conn=2807 op=2 RESULT err=32 tag=101 nentries=0 etime=0.0000067911 [06/Dec/2019:12:49:18.074036480 +0000] conn=2807 op=3 UNBIND [06/Dec/2019:12:49:18.074048223 +0000] conn=2807 op=3 fd=128 closed - U1
This is what popped up in the access log this command was run on the NNMi server:
nnmldap.ovpl -diagnose USER
The output from the command is:
========================================================= = Configuration ========================================================= Diagnosing LDAP connectivity for user USER Using LDAP configuration file <path to nms-auth-config.xml>
========================================================= = Found User Distinguished Name: "uid=USER,cn=users,cn=compat,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG" =========================================================
!!!!!!!!!!!!!!!!!!!!!!!! NOTE !!!!!!!!!!!!!!!!!!!!!!! ! No LDAP groups found for this User Distinguished Name. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!! NOTE !!!!!!!!!!!!!!!!!!!!!!! ! LDAP Appears to be Misconfigured. See above for more information. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Also, in nms-auth-config.xml, <users> Container element to include all user configuration details. <userSearch> Container element to include the configuration information for searching users. <base> </base> For example: <base> SAMAccountName={0} </base>. <base> uid={0} </base> <baseContextDN>
</baseContextDN> For Active Directory, specify the portion of the directory service domain that stores user records. For example: For Active Directory CN=user,OU=Users,OU=Accounts,DC=mycompany,DC=com For other LDAP technologies ou=People,o=example.com </userSearch> </users>
base is set to "uid=(0)" and baseContextDN is set to "cn=users,cn=compat,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG"
A simple ldapsearch for "uid=USER" returns a boatload of info with many "memberOf" lines including
memberOf: cn=nnmi_access,cn=groups,cn=accounts,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG
Does this shed any light on the dilemma ? ______________________________________________________________________________________________
Daniel E. White daniel.e.white@nasa.govmailto:daniel.e.white@nasa.gov NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290
From: Rob Crittenden rcritten@redhat.com Date: Thursday, December 5, 2019 at 14:31 To: Daniel White daniel.e.white@nasa.gov, FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: Re: [EXTERNAL] Re: [Freeipa-users] Anyone using FreeIPA/IdM and MicroFocus Network Automation ?
White, Daniel E. (GSFC-770.0)[NICS] wrote: Thanks, Rob.
I will give it a try.
I made a posix group to use for application access - call it "nnmi_access"
I can ldapsearch using
(&(objectclass=groupofnames)(cn=nnmi_access)) member
and get back the members of the group like this: member: uid=foobar,cn=users,cn=accounts,dc=…
So then the roleBase is "member". but what should the roleContextDN be ? Maybe cn-nnmi-access,cn=groups,…,dc=… ?
That's the way I read their docs as well. I guess it won't hurt trying.
rob
White, Daniel E. (GSFC-770.0)[NICS] wrote:
We set roleContextDN to cn=nnmi-access
And it still barfs, but I found stuff in the access log file: (redacted a bit)
[06/Dec/2019:12:49:18.055641820 +0000] conn=2805 fd=110 slot=110 connection from NNMi-Server to IdM-Server [06/Dec/2019:12:49:18.055983514 +0000] conn=2805 op=0 BIND dn="" method=128 version=3 [06/Dec/2019:12:49:18.056068589 +0000] conn=2805 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0000264910 dn="" [06/Dec/2019:12:49:18.060407586 +0000] conn=2805 op=1 SRCH base="cn=users,cn=compat,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG" scope=2 filter="(uid=USER)" attrs="distinguishedName" [06/Dec/2019:12:49:18.060803785 +0000] conn=2805 op=1 RESULT err=0 tag=101 nentries=1 etime=0.0000453635
Right so the user is found, that's good. You should change the user search base from cn=compat to cn=accounts.
Looks like it is doing an anonymous bind which is going to provide limited information. I'm pretty sure there is a way to configure a bind user for this but the how baffles me.
[06/Dec/2019:12:49:18.067812476 +0000] conn=2807 fd=128 slot=128 connection from NNMi-Server to IdM-Server [06/Dec/2019:12:49:18.068098286 +0000] conn=2807 op=0 BIND dn="" method=128 version=3 [06/Dec/2019:12:49:18.068165707 +0000] conn=2807 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0000161713 dn="" [06/Dec/2019:12:49:18.071528890 +0000] conn=2807 op=1 SRCH base="cn=nnmi_access" scope=2 filter="(member=uid=USER,cn=users,cn=compat,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG)" attrs="1.1" [06/Dec/2019:12:49:18.071562192 +0000] conn=2807 op=1 RESULT err=32 tag=101 nentries=0 etime=0.0000074662
The search base is cn=nnmi_access which doesn't exist but this shows us that whereever you configured this value should be cn=groups,cn=accounts,... so that's something. It will need to bind as a real user to get memberof though so that will need to be addressed too.
This is what popped up in the access log this command was run on the NNMi server:
nnmldap.ovpl -diagnose USER
So yeah it's nice that you have a tool to easily verify things. By poking at the config and using this tool and watching the logs you may be able to bang on it enough to get things to work.
So basically you've gotten the user configuration mostly right you just need to get the group base configuration done and figure out how to specify a user to bind as.
rob
I agree with your response:
user search base="cn=users,cn=accounts,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG" group search base = " cn=nnmi_access,cn=groups,cn=accounts, dc=PROJECT,dc=EXAMPLE,dc=ORG"
AND change the roleBase from member to memberOf
This is based on the results of tinkering with ldapsearch queries, trying the various base strings and field names. Sadly, I cannot try this new info until Monday as the guy in charge of that server is out today and I promised not to tinker without permission/approval ☹
Anyway, many thanks for your responses, Rob. I think I am close to The Answer ! (42, right ?) ______________________________________________________________________________________________
Daniel E. White daniel.e.white@nasa.govmailto:daniel.e.white@nasa.gov NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290
From: Rob Crittenden rcritten@redhat.com Date: Friday, December 6, 2019 at 10:07 To: Daniel White daniel.e.white@nasa.gov, FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: Re: [EXTERNAL] Re: [Freeipa-users] Anyone using FreeIPA/IdM and MicroFocus Network Automation ?
White, Daniel E. (GSFC-770.0)[NICS] wrote: We set roleContextDN to cn=nnmi-access
And it still barfs, but I found stuff in the access log file: (redacted a bit)
[06/Dec/2019:12:49:18.055641820 +0000] conn=2805 fd=110 slot=110 connection from NNMi-Server to IdM-Server [06/Dec/2019:12:49:18.055983514 +0000] conn=2805 op=0 BIND dn="" method=128 version=3 [06/Dec/2019:12:49:18.056068589 +0000] conn=2805 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0000264910 dn="" [06/Dec/2019:12:49:18.060407586 +0000] conn=2805 op=1 SRCH base="cn=users,cn=compat,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG" scope=2 filter="(uid=USER)" attrs="distinguishedName" [06/Dec/2019:12:49:18.060803785 +0000] conn=2805 op=1 RESULT err=0 tag=101 nentries=1 etime=0.0000453635
Right so the user is found, that's good. You should change the user search base from cn=compat to cn=accounts.
Looks like it is doing an anonymous bind which is going to provide limited information. I'm pretty sure there is a way to configure a bind user for this but the how baffles me.
[06/Dec/2019:12:49:18.067812476 +0000] conn=2807 fd=128 slot=128 connection from NNMi-Server to IdM-Server [06/Dec/2019:12:49:18.068098286 +0000] conn=2807 op=0 BIND dn="" method=128 version=3 [06/Dec/2019:12:49:18.068165707 +0000] conn=2807 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0000161713 dn="" [06/Dec/2019:12:49:18.071528890 +0000] conn=2807 op=1 SRCH base="cn=nnmi_access" scope=2 filter="(member=uid=USER,cn=users,cn=compat,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG)" attrs="1.1" [06/Dec/2019:12:49:18.071562192 +0000] conn=2807 op=1 RESULT err=32 tag=101 nentries=0 etime=0.0000074662
The search base is cn=nnmi_access which doesn't exist but this shows us that whereever you configured this value should be cn=groups,cn=accounts,... so that's something. It will need to bind as a real user to get memberof though so that will need to be addressed too.
This is what popped up in the access log this command was run on the NNMi server: nnmldap.ovpl -diagnose USER
So yeah it's nice that you have a tool to easily verify things. By poking at the config and using this tool and watching the logs you may be able to bang on it enough to get things to work.
So basically you've gotten the user configuration mostly right you just need to get the group base configuration done and figure out how to specify a user to bind as.
rob
I finally fixed it. Here's what I did:
<userSearch> <base> uid={0} </base> <baseContextDN> cn=users,cn=accounts,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG </baseContextDN > </userSearch>
<roleSearch> <roleBase> member={1} </roleBase> <roleContextDN> cn=nnmi_access,cn=groups,cn=accounts, dc=PROJECT,dc=EXAMPLE,dc=ORG <roleContextDN> </roleSearch>
And, would you believe, it makes a huge difference when the bindCredential is NOT COMMENTED OUT !!
I discovered it by running ldapsearch by hand to try for access log outputs identical to the ones produced by the application.
Thanks again for your help. ______________________________________________________________________________________________
Daniel E. White daniel.e.white@nasa.govmailto:daniel.e.white@nasa.gov NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290
From: "White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users" freeipa-users@lists.fedorahosted.org Reply-To: FreeIPA users list freeipa-users@lists.fedorahosted.org Date: Friday, December 6, 2019 at 10:22 To: Rob Crittenden rcritten@redhat.com, FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Daniel White daniel.e.white@nasa.gov Subject: [Freeipa-users] Re: [EXTERNAL] Re: Anyone using FreeIPA/IdM and MicroFocus Network Automation ?
I agree with your response:
user search base="cn=users,cn=accounts,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG" group search base = " cn=nnmi_access,cn=groups,cn=accounts, dc=PROJECT,dc=EXAMPLE,dc=ORG"
AND change the roleBase from member to memberOf
This is based on the results of tinkering with ldapsearch queries, trying the various base strings and field names. Sadly, I cannot try this new info until Monday as the guy in charge of that server is out today and I promised not to tinker without permission/approval ☹
Anyway, many thanks for your responses, Rob. I think I am close to The Answer ! (42, right ?) ______________________________________________________________________________________________
Daniel E. White daniel.e.white@nasa.govmailto:daniel.e.white@nasa.gov NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290
From: Rob Crittenden rcritten@redhat.com Date: Friday, December 6, 2019 at 10:07 To: Daniel White daniel.e.white@nasa.gov, FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: Re: [EXTERNAL] Re: [Freeipa-users] Anyone using FreeIPA/IdM and MicroFocus Network Automation ?
White, Daniel E. (GSFC-770.0)[NICS] wrote: We set roleContextDN to cn=nnmi-access
And it still barfs, but I found stuff in the access log file: (redacted a bit)
[06/Dec/2019:12:49:18.055641820 +0000] conn=2805 fd=110 slot=110 connection from NNMi-Server to IdM-Server [06/Dec/2019:12:49:18.055983514 +0000] conn=2805 op=0 BIND dn="" method=128 version=3 [06/Dec/2019:12:49:18.056068589 +0000] conn=2805 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0000264910 dn="" [06/Dec/2019:12:49:18.060407586 +0000] conn=2805 op=1 SRCH base="cn=users,cn=compat,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG" scope=2 filter="(uid=USER)" attrs="distinguishedName" [06/Dec/2019:12:49:18.060803785 +0000] conn=2805 op=1 RESULT err=0 tag=101 nentries=1 etime=0.0000453635
Right so the user is found, that's good. You should change the user search base from cn=compat to cn=accounts.
Looks like it is doing an anonymous bind which is going to provide limited information. I'm pretty sure there is a way to configure a bind user for this but the how baffles me.
[06/Dec/2019:12:49:18.067812476 +0000] conn=2807 fd=128 slot=128 connection from NNMi-Server to IdM-Server [06/Dec/2019:12:49:18.068098286 +0000] conn=2807 op=0 BIND dn="" method=128 version=3 [06/Dec/2019:12:49:18.068165707 +0000] conn=2807 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0000161713 dn="" [06/Dec/2019:12:49:18.071528890 +0000] conn=2807 op=1 SRCH base="cn=nnmi_access" scope=2 filter="(member=uid=USER,cn=users,cn=compat,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG)" attrs="1.1" [06/Dec/2019:12:49:18.071562192 +0000] conn=2807 op=1 RESULT err=32 tag=101 nentries=0 etime=0.0000074662
The search base is cn=nnmi_access which doesn't exist but this shows us that whereever you configured this value should be cn=groups,cn=accounts,... so that's something. It will need to bind as a real user to get memberof though so that will need to be addressed too.
This is what popped up in the access log this command was run on the NNMi server: nnmldap.ovpl -diagnose USER
So yeah it's nice that you have a tool to easily verify things. By poking at the config and using this tool and watching the logs you may be able to bang on it enough to get things to work.
So basically you've gotten the user configuration mostly right you just need to get the group base configuration done and figure out how to specify a user to bind as.
rob
That's great news. Thanks for closing the loop and providing the config!
rob
White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote:
I finally fixed it.
Here's what I did:
<userSearch>
<base> uid={0} </base>
<baseContextDN> cn=users,cn=accounts,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG
</baseContextDN >
</userSearch>
|<roleSearch>|
|<roleBase> |member|={1} </roleBase>|
|<|roleContextDN> cn=nnmi_access,cn=groups,cn=accounts, dc=PROJECT,dc=EXAMPLE,dc=ORG <roleContextDN>
|</roleSearch>|
And, would you believe, it makes a huge difference when the bindCredentialis NOT COMMENTED OUT !!
I discovered it by running ldapsearch by hand to try for access log outputs identical to the ones produced by the application.
Thanks again for your help.
*______________________________________________________________________________________________*
**
*Daniel E. White** **daniel.e.white@nasa.gov mailto:daniel.e.white@nasa.gov***
*NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771***
*Office: (301) 286-6919***
*Mobile: (240) 513-5290*
*From: *"White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users" freeipa-users@lists.fedorahosted.org *Reply-To: *FreeIPA users list freeipa-users@lists.fedorahosted.org *Date: *Friday, December 6, 2019 at 10:22 *To: *Rob Crittenden rcritten@redhat.com, FreeIPA users list freeipa-users@lists.fedorahosted.org *Cc: *Daniel White daniel.e.white@nasa.gov *Subject: *[Freeipa-users] Re: [EXTERNAL] Re: Anyone using FreeIPA/IdM and MicroFocus Network Automation ?
I agree with your response:
user search base="cn=users,cn=accounts,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG"
group search base = " cn=nnmi_access,cn=groups,cn=accounts, dc=PROJECT,dc=EXAMPLE,dc=ORG"
AND change the roleBase from member to memberOf
**
This is based on the results of tinkering with ldapsearch queries, trying the various base strings and field names.
Sadly, I cannot try this new info until Monday as the guy in charge of that server is out today and I promised not to tinker without permission/approval ☹
Anyway, many thanks for your responses, Rob.
I think I am close to The Answer ! (42, right ?)
*______________________________________________________________________________________________*
**
*Daniel E. White daniel.e.white@nasa.gov mailto:daniel.e.white@nasa.gov*
*NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771*
*Office: (301) 286-6919*
*Mobile: (240) 513-5290*
*From: *Rob Crittenden rcritten@redhat.com *Date: *Friday, December 6, 2019 at 10:07 *To: *Daniel White daniel.e.white@nasa.gov, FreeIPA users list freeipa-users@lists.fedorahosted.org *Subject: *Re: [EXTERNAL] Re: [Freeipa-users] Anyone using FreeIPA/IdM and MicroFocus Network Automation ?
White, Daniel E. (GSFC-770.0)[NICS] wrote:
We set roleContextDN to cn=nnmi-access And it still barfs, but I found stuff in the access log file: (redacted a bit) [06/Dec/2019:12:49:18.055641820 +0000] conn=2805 fd=110 slot=110 connection from NNMi-Server to IdM-Server [06/Dec/2019:12:49:18.055983514 +0000] conn=2805 op=0 BIND dn="" method=128 version=3 [06/Dec/2019:12:49:18.056068589 +0000] conn=2805 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0000264910 dn="" [06/Dec/2019:12:49:18.060407586 +0000] conn=2805 op=1 SRCH base="cn=users,cn=compat,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG" scope=2 filter="(uid=USER)" attrs="distinguishedName" [06/Dec/2019:12:49:18.060803785 +0000] conn=2805 op=1 RESULT err=0 tag=101 nentries=1 etime=0.0000453635
Right so the user is found, that's good. You should change the user
search base from cn=compat to cn=accounts.
Looks like it is doing an anonymous bind which is going to provide
limited information. I'm pretty sure there is a way to configure a bind
user for this but the how baffles me.
[06/Dec/2019:12:49:18.067812476 +0000] conn=2807 fd=128 slot=128 connection from NNMi-Server to IdM-Server [06/Dec/2019:12:49:18.068098286 +0000] conn=2807 op=0 BIND dn="" method=128 version=3 [06/Dec/2019:12:49:18.068165707 +0000] conn=2807 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0000161713 dn="" [06/Dec/2019:12:49:18.071528890 +0000] conn=2807 op=1 SRCH base="cn=nnmi_access" scope=2 filter="(member=uid=USER,cn=users,cn=compat,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG)" attrs="1.1" [06/Dec/2019:12:49:18.071562192 +0000] conn=2807 op=1 RESULT err=32 tag=101 nentries=0 etime=0.0000074662
The search base is cn=nnmi_access which doesn't exist but this shows us
that whereever you configured this value should be
cn=groups,cn=accounts,... so that's something. It will need to bind as a
real user to get memberof though so that will need to be addressed too.
This is what popped up in the access log this command was run on the NNMi server: nnmldap.ovpl -diagnose USER
So yeah it's nice that you have a tool to easily verify things. By
poking at the config and using this tool and watching the logs you may
be able to bang on it enough to get things to work.
So basically you've gotten the user configuration mostly right you just
need to get the group base configuration done and figure out how to
specify a user to bind as.
rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org