I'm using the latest FreeIPA build from CentOS 7.5 - users have mandatory multifactor access configured.
When binding against the compat tree, I'm able to log in with only a password - is this expected?
This ticket indicates that if regular binds require multifactor access, compat binds should too: https://pagure.io/freeipa/issue/4897
Has the behaviour changed intentionally?
On ke, 30 touko 2018, Adam Bishop via FreeIPA-users wrote:
I'm using the latest FreeIPA build from CentOS 7.5 - users have mandatory multifactor access configured.
When binding against the compat tree, I'm able to log in with only a password - is this expected?
This ticket indicates that if regular binds require multifactor access, compat binds should too: https://pagure.io/freeipa/issue/4897
Has the behaviour changed intentionally?
No, there is no behavior change. Did you supply password+token as a single string?
More details on how you have configured the system are needed, ideally with ipa CLI and ldapsearch commands to demonstrate the issue.
Yeah, password + code supplied as single string gets rejected (49, invalid credentials), but password alone is accepted against the compat tree.
As far as configuration goes, it's an oldish deployment (initially set up in 2012/2013), but has not really deviated from the standard configuration. Users have a single token code assigned to them, with 2fa configured at the user level like so:
[ ] Password [ ] RADIUS [x] Two factor authentication (password + OTP)
There is no global 2fa setting, or any authentication indicators set on hosts.
Not sure what ipa cli combination would highlight the issue, but here's ldapsearch against a group with trimmed output - right at the end of the email is a log snippet where I try password + token first, then just password from the device that's doing the bind.
---
# Standard Tree Password + Token Code = Accept: ldapsearch -W -D "uid=adamb,cn=users,cn=accounts,dc=virt,dc=ja,dc=net" -b "cn=adamb,cn=groups,cn=accounts,dc=virt,dc=ja,dc=net" Enter LDAP Password: ... # search result search: 2 result: 0 Success
# Standard Tree Password Only = Reject: $ ldapsearch -W -D "uid=adamb,cn=users,cn=accounts,dc=virt,dc=ja,dc=net" -b "cn=adamb,cn=groups,cn=accounts,dc=virt,dc=ja,dc=net" Enter LDAP Password: ldap_bind: Invalid credentials (49)
# Compat Tree Password + Token Code = Reject: $ ldapsearch -W -D "uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net" -b "cn=adamb,cn=groups,cn=compat,dc=virt,dc=ja,dc=net" Enter LDAP Password: ldap_bind: Invalid credentials (49)
# Compat Tree Password Only = Accept: $ ldapsearch -W -D "uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net" -b "cn=adamb,cn=groups,cn=compat,dc=virt,dc=ja,dc=net" Enter LDAP Password: ... # search result search: 2 result: 0 Success
---
[30/May/2018:10:21:26.075901899 +0000] conn=25163 fd=183 slot=183 SSL connection from 172.25.0.14 to 193.63.72.98 [30/May/2018:10:21:26.117421253 +0000] conn=25163 TLS1.2 256-bit AES-GCM [30/May/2018:10:21:26.121916838 +0000] conn=25163 op=0 BIND dn="uid=opengear,cn=sysaccounts,cn=etc,dc=virt,dc=ja,dc=net" method=128 version=3 [30/May/2018:10:21:26.122685598 +0000] conn=25163 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0041605195 dn="uid=opengear,cn=sysaccounts,cn=etc,dc=virt,dc=ja,dc=net" [30/May/2018:10:21:26.126405442 +0000] conn=25163 op=1 SRCH base="cn=compat,dc=virt,dc=ja,dc=net" scope=2 filter="(uid=adamb)" attrs=ALL [30/May/2018:10:21:26.134445441 +0000] conn=25163 op=1 RESULT err=0 tag=101 nentries=1 etime=0.0008214966 [30/May/2018:10:21:26.143921650 +0000] conn=25163 op=2 BIND dn="uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net" method=128 version=3 [30/May/2018:10:21:26.145498150 +0000] conn=25163 op=2 RESULT err=49 tag=97 nentries=0 etime=0.0001858480 - Invalid credentials [30/May/2018:10:21:26.149772263 +0000] conn=25163 op=3 BIND dn="uid=opengear,cn=sysaccounts,cn=etc,dc=virt,dc=ja,dc=net" method=128 version=3 [30/May/2018:10:21:26.150538751 +0000] conn=25163 op=3 RESULT err=0 tag=97 nentries=0 etime=0.0000946441 dn="uid=opengear,cn=sysaccounts,cn=etc,dc=virt,dc=ja,dc=net" [30/May/2018:10:21:30.950782865 +0000] conn=25163 op=4 UNBIND [30/May/2018:10:21:30.950833316 +0000] conn=25163 op=4 fd=183 closed - U1
[30/May/2018:10:21:38.056017404 +0000] conn=25164 fd=156 slot=156 SSL connection from 172.25.0.14 to 193.63.72.98 [30/May/2018:10:21:38.096276825 +0000] conn=25164 TLS1.2 256-bit AES-GCM [30/May/2018:10:21:38.100674075 +0000] conn=25164 op=0 BIND dn="uid=opengear,cn=sysaccounts,cn=etc,dc=virt,dc=ja,dc=net" method=128 version=3 [30/May/2018:10:21:38.101414295 +0000] conn=25164 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0040230747 dn="uid=opengear,cn=sysaccounts,cn=etc,dc=virt,dc=ja,dc=net" [30/May/2018:10:21:38.105289862 +0000] conn=25164 op=1 SRCH base="cn=compat,dc=virt,dc=ja,dc=net" scope=2 filter="(uid=adamb)" attrs=ALL [30/May/2018:10:21:38.116056435 +0000] conn=25164 op=1 RESULT err=0 tag=101 nentries=1 etime=0.0011007183 [30/May/2018:10:21:38.120400753 +0000] conn=25164 op=2 BIND dn="uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net" method=128 version=3 [30/May/2018:10:21:38.122458980 +0000] conn=25164 op=2 RESULT err=0 tag=97 nentries=0 etime=0.0002267568 dn="uid=adamb,cn=users,cn=accounts,dc=virt,dc=ja,dc=net" [30/May/2018:10:21:38.126309118 +0000] conn=25164 op=3 BIND dn="uid=opengear,cn=sysaccounts,cn=etc,dc=virt,dc=ja,dc=net" method=128 version=3 [30/May/2018:10:21:38.127108622 +0000] conn=25164 op=3 RESULT err=0 tag=97 nentries=0 etime=0.0001023469 dn="uid=opengear,cn=sysaccounts,cn=etc,dc=virt,dc=ja,dc=net" [30/May/2018:10:21:38.130813363 +0000] conn=25164 op=4 CMP dn="uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net" attr="uniquemember" [30/May/2018:10:21:38.130960657 +0000] conn=25164 op=4 RESULT err=53 tag=111 nentries=0 etime=0.0000308287 [30/May/2018:10:21:38.134644827 +0000] conn=25164 op=5 SRCH base="uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net" scope=0 filter="(objectClass=*)" attrs="gidNumber" [30/May/2018:10:21:38.135140752 +0000] conn=25164 op=5 RESULT err=0 tag=101 nentries=1 etime=0.0000733709 [30/May/2018:10:21:38.138916056 +0000] conn=25164 op=6 CMP dn="cn=opengear-dev-admins,cn=groups,cn=compat,dc=virt,dc=ja,dc=net" attr="gidNumber" [30/May/2018:10:21:38.139028891 +0000] conn=25164 op=6 RESULT err=53 tag=111 nentries=0 etime=0.0000308404 [30/May/2018:10:21:38.142852631 +0000] conn=25164 op=7 SRCH base="cn=compat,dc=virt,dc=ja,dc=net" scope=2 filter="(&(objectClass=posixGroup)(|(memberUid=adamb)(memberUid=uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net)))" attrs=ALL [30/May/2018:10:21:38.156708353 +0000] conn=25164 op=7 RESULT err=0 tag=101 nentries=24 etime=0.0014057156 [30/May/2018:10:21:38.167060727 +0000] conn=25164 op=8 SRCH base="cn=compat,dc=virt,dc=ja,dc=net" scope=2 filter="(&(objectClass=user)(uid=adamb))" attrs="uniqueMember" [30/May/2018:10:21:38.168177702 +0000] conn=25164 op=8 RESULT err=0 tag=101 nentries=0 etime=0.0001377993 [30/May/2018:10:21:38.171969107 +0000] conn=25164 op=9 SRCH base="uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net" scope=0 filter="(objectClass=*)" attrs="gidNumber" [30/May/2018:10:21:38.172404602 +0000] conn=25164 op=9 RESULT err=0 tag=101 nentries=1 etime=0.0000586344 [30/May/2018:10:21:38.176342697 +0000] conn=25164 op=10 SRCH base="cn=compat,dc=virt,dc=ja,dc=net" scope=2 filter="(&(objectClass=posixGroup)(gidNumber=606000001))" attrs=ALL [30/May/2018:10:21:38.177966535 +0000] conn=25164 op=10 RESULT err=0 tag=101 nentries=1 etime=0.0001848763 [30/May/2018:10:21:38.181958348 +0000] conn=25164 op=11 SRCH base="cn=compat,dc=virt,dc=ja,dc=net" scope=2 filter="(&(objectClass=posixGroup)(|(memberUid=adamb)(memberUid=uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net)))" attrs=ALL [30/May/2018:10:21:38.195375411 +0000] conn=25164 op=11 RESULT err=0 tag=101 nentries=24 etime=0.0013589918 [30/May/2018:10:21:38.217773131 +0000] conn=25164 op=12 UNBIND [30/May/2018:10:21:38.217822659 +0000] conn=25164 op=12 fd=156 closed - U1
On ke, 30 touko 2018, Adam Bishop via FreeIPA-users wrote:
Yeah, password + code supplied as single string gets rejected (49, invalid credentials), but password alone is accepted against the compat tree.
As far as configuration goes, it's an oldish deployment (initially set up in 2012/2013), but has not really deviated from the standard configuration. Users have a single token code assigned to them, with 2fa configured at the user level like so:
[ ] Password [ ] RADIUS [x] Two factor authentication (password + OTP)
There is no global 2fa setting, or any authentication indicators set on hosts.
Not sure what ipa cli combination would highlight the issue, but here's ldapsearch against a group with trimmed output - right at the end of the email is a log snippet where I try password + token first, then just password from the device that's doing the bind.
Yep. Well, at this point you can enable plugin logging level to see what ipa-pwd-extop plugin is reporting.
65536 needs to be summed up with existing nsslapd-errorlog-level value to trigger plugin debug logging.
See https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/ht...
With plugin debug logging enabled there will be a visible performance degradation of ns-slapd, so it should only be used for a small period of time.
# Standard Tree Password + Token Code = Accept: ldapsearch -W -D "uid=adamb,cn=users,cn=accounts,dc=virt,dc=ja,dc=net" -b "cn=adamb,cn=groups,cn=accounts,dc=virt,dc=ja,dc=net" Enter LDAP Password: ... # search result search: 2 result: 0 Success
# Standard Tree Password Only = Reject: $ ldapsearch -W -D "uid=adamb,cn=users,cn=accounts,dc=virt,dc=ja,dc=net" -b "cn=adamb,cn=groups,cn=accounts,dc=virt,dc=ja,dc=net" Enter LDAP Password: ldap_bind: Invalid credentials (49)
# Compat Tree Password + Token Code = Reject: $ ldapsearch -W -D "uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net" -b "cn=adamb,cn=groups,cn=compat,dc=virt,dc=ja,dc=net" Enter LDAP Password: ldap_bind: Invalid credentials (49)
# Compat Tree Password Only = Accept: $ ldapsearch -W -D "uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net" -b "cn=adamb,cn=groups,cn=compat,dc=virt,dc=ja,dc=net" Enter LDAP Password: ... # search result search: 2 result: 0 Success
[30/May/2018:10:21:26.075901899 +0000] conn=25163 fd=183 slot=183 SSL connection from 172.25.0.14 to 193.63.72.98 [30/May/2018:10:21:26.117421253 +0000] conn=25163 TLS1.2 256-bit AES-GCM [30/May/2018:10:21:26.121916838 +0000] conn=25163 op=0 BIND dn="uid=opengear,cn=sysaccounts,cn=etc,dc=virt,dc=ja,dc=net" method=128 version=3 [30/May/2018:10:21:26.122685598 +0000] conn=25163 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0041605195 dn="uid=opengear,cn=sysaccounts,cn=etc,dc=virt,dc=ja,dc=net" [30/May/2018:10:21:26.126405442 +0000] conn=25163 op=1 SRCH base="cn=compat,dc=virt,dc=ja,dc=net" scope=2 filter="(uid=adamb)" attrs=ALL [30/May/2018:10:21:26.134445441 +0000] conn=25163 op=1 RESULT err=0 tag=101 nentries=1 etime=0.0008214966 [30/May/2018:10:21:26.143921650 +0000] conn=25163 op=2 BIND dn="uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net" method=128 version=3 [30/May/2018:10:21:26.145498150 +0000] conn=25163 op=2 RESULT err=49 tag=97 nentries=0 etime=0.0001858480 - Invalid credentials [30/May/2018:10:21:26.149772263 +0000] conn=25163 op=3 BIND dn="uid=opengear,cn=sysaccounts,cn=etc,dc=virt,dc=ja,dc=net" method=128 version=3 [30/May/2018:10:21:26.150538751 +0000] conn=25163 op=3 RESULT err=0 tag=97 nentries=0 etime=0.0000946441 dn="uid=opengear,cn=sysaccounts,cn=etc,dc=virt,dc=ja,dc=net" [30/May/2018:10:21:30.950782865 +0000] conn=25163 op=4 UNBIND [30/May/2018:10:21:30.950833316 +0000] conn=25163 op=4 fd=183 closed - U1
[30/May/2018:10:21:38.056017404 +0000] conn=25164 fd=156 slot=156 SSL connection from 172.25.0.14 to 193.63.72.98 [30/May/2018:10:21:38.096276825 +0000] conn=25164 TLS1.2 256-bit AES-GCM [30/May/2018:10:21:38.100674075 +0000] conn=25164 op=0 BIND dn="uid=opengear,cn=sysaccounts,cn=etc,dc=virt,dc=ja,dc=net" method=128 version=3 [30/May/2018:10:21:38.101414295 +0000] conn=25164 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0040230747 dn="uid=opengear,cn=sysaccounts,cn=etc,dc=virt,dc=ja,dc=net" [30/May/2018:10:21:38.105289862 +0000] conn=25164 op=1 SRCH base="cn=compat,dc=virt,dc=ja,dc=net" scope=2 filter="(uid=adamb)" attrs=ALL [30/May/2018:10:21:38.116056435 +0000] conn=25164 op=1 RESULT err=0 tag=101 nentries=1 etime=0.0011007183 [30/May/2018:10:21:38.120400753 +0000] conn=25164 op=2 BIND dn="uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net" method=128 version=3 [30/May/2018:10:21:38.122458980 +0000] conn=25164 op=2 RESULT err=0 tag=97 nentries=0 etime=0.0002267568 dn="uid=adamb,cn=users,cn=accounts,dc=virt,dc=ja,dc=net" [30/May/2018:10:21:38.126309118 +0000] conn=25164 op=3 BIND dn="uid=opengear,cn=sysaccounts,cn=etc,dc=virt,dc=ja,dc=net" method=128 version=3 [30/May/2018:10:21:38.127108622 +0000] conn=25164 op=3 RESULT err=0 tag=97 nentries=0 etime=0.0001023469 dn="uid=opengear,cn=sysaccounts,cn=etc,dc=virt,dc=ja,dc=net" [30/May/2018:10:21:38.130813363 +0000] conn=25164 op=4 CMP dn="uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net" attr="uniquemember" [30/May/2018:10:21:38.130960657 +0000] conn=25164 op=4 RESULT err=53 tag=111 nentries=0 etime=0.0000308287 [30/May/2018:10:21:38.134644827 +0000] conn=25164 op=5 SRCH base="uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net" scope=0 filter="(objectClass=*)" attrs="gidNumber" [30/May/2018:10:21:38.135140752 +0000] conn=25164 op=5 RESULT err=0 tag=101 nentries=1 etime=0.0000733709 [30/May/2018:10:21:38.138916056 +0000] conn=25164 op=6 CMP dn="cn=opengear-dev-admins,cn=groups,cn=compat,dc=virt,dc=ja,dc=net" attr="gidNumber" [30/May/2018:10:21:38.139028891 +0000] conn=25164 op=6 RESULT err=53 tag=111 nentries=0 etime=0.0000308404 [30/May/2018:10:21:38.142852631 +0000] conn=25164 op=7 SRCH base="cn=compat,dc=virt,dc=ja,dc=net" scope=2 filter="(&(objectClass=posixGroup)(|(memberUid=adamb)(memberUid=uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net)))" attrs=ALL [30/May/2018:10:21:38.156708353 +0000] conn=25164 op=7 RESULT err=0 tag=101 nentries=24 etime=0.0014057156 [30/May/2018:10:21:38.167060727 +0000] conn=25164 op=8 SRCH base="cn=compat,dc=virt,dc=ja,dc=net" scope=2 filter="(&(objectClass=user)(uid=adamb))" attrs="uniqueMember" [30/May/2018:10:21:38.168177702 +0000] conn=25164 op=8 RESULT err=0 tag=101 nentries=0 etime=0.0001377993 [30/May/2018:10:21:38.171969107 +0000] conn=25164 op=9 SRCH base="uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net" scope=0 filter="(objectClass=*)" attrs="gidNumber" [30/May/2018:10:21:38.172404602 +0000] conn=25164 op=9 RESULT err=0 tag=101 nentries=1 etime=0.0000586344 [30/May/2018:10:21:38.176342697 +0000] conn=25164 op=10 SRCH base="cn=compat,dc=virt,dc=ja,dc=net" scope=2 filter="(&(objectClass=posixGroup)(gidNumber=606000001))" attrs=ALL [30/May/2018:10:21:38.177966535 +0000] conn=25164 op=10 RESULT err=0 tag=101 nentries=1 etime=0.0001848763 [30/May/2018:10:21:38.181958348 +0000] conn=25164 op=11 SRCH base="cn=compat,dc=virt,dc=ja,dc=net" scope=2 filter="(&(objectClass=posixGroup)(|(memberUid=adamb)(memberUid=uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net)))" attrs=ALL [30/May/2018:10:21:38.195375411 +0000] conn=25164 op=11 RESULT err=0 tag=101 nentries=24 etime=0.0013589918 [30/May/2018:10:21:38.217773131 +0000] conn=25164 op=12 UNBIND [30/May/2018:10:21:38.217822659 +0000] conn=25164 op=12 fd=156 closed - U1
That's fine, the directory is fairly low traffic so the performance drop isn't a problem for us.
This is the log snippet relating to a password + token - the compat plugin matches the DN, but pwd-extop reports that the DN isn't found?
[30/May/2018:13:13:14.793612423 +0000] - DEBUG - schema-compat-plugin - searching from "cn=compat,dc=virt,dc=ja,dc=net" for "(uid=adamb)" with scope 2 (sub) [30/May/2018:13:13:14.798987398 +0000] - DEBUG - schema-compat-plugin - search matched uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net [30/May/2018:13:13:14.806900240 +0000] - DEBUG - cos-plugin - cos_cache_query_attr - cos attribute krbPwdPolicyReference failed schema check on dn: uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net [30/May/2018:13:13:14.808973889 +0000] - DEBUG - schema-compat-plugin - sending error 0 [30/May/2018:13:13:14.814889099 +0000] - DEBUG - ipa-pwd-extop - failed to retrieve user entry: uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net [30/May/2018:13:13:14.817384965 +0000] - DEBUG - ipa-lockout-plugin - preop returning 0: success
A successful bind (password only) results in the same error log entries.
On ke, 30 touko 2018, Adam Bishop via FreeIPA-users wrote:
That's fine, the directory is fairly low traffic so the performance drop isn't a problem for us.
This is the log snippet relating to a password + token - the compat plugin matches the DN, but pwd-extop reports that the DN isn't found?
[30/May/2018:13:13:14.793612423 +0000] - DEBUG - schema-compat-plugin - searching from "cn=compat,dc=virt,dc=ja,dc=net" for "(uid=adamb)" with scope 2 (sub) [30/May/2018:13:13:14.798987398 +0000] - DEBUG - schema-compat-plugin - search matched uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net [30/May/2018:13:13:14.806900240 +0000] - DEBUG - cos-plugin - cos_cache_query_attr - cos attribute krbPwdPolicyReference failed schema check on dn: uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net [30/May/2018:13:13:14.808973889 +0000] - DEBUG - schema-compat-plugin - sending error 0 [30/May/2018:13:13:14.814889099 +0000] - DEBUG - ipa-pwd-extop - failed to retrieve user entry: uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net [30/May/2018:13:13:14.817384965 +0000] - DEBUG - ipa-lockout-plugin - preop returning 0: success
A successful bind (password only) results in the same error log entries.
Interesting. Can you show me output from
# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-VIRT-JA-NET.socket -b cn=config '(nsslapd-pluginprecedence=*)' cn nsslapd-pluginprecedence
as root?
This would give me list of DS plugins loaded and their precedence.
Looks like it is a mis-coordination between ipa-pwd-extop and schema-compat.
Schema compat plugin sets SLAPI_BIND_TARGET_SDN but ipa-pwd-extop reads SLAPI_BIND_TARGET. I remember we were asked to use _SDN version by 389-ds developers at some point. Looking at other FreeIPA plugins, I see they only use SLAPI_BIND_TARGET and not _SDN variant, so there is definitely a mismatch.
Ah ha. I think you've pointed me to the root cause - the compat plugin has 2 priority attributes!
Which is correct - 40 or 49?
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # filter: (nsslapd-pluginprecedence=*) # requesting: cn nsslapd-pluginprecedence #
# IPA MODRDN, plugins, config dn: cn=IPA MODRDN,cn=plugins,cn=config cn: IPA MODRDN nsslapd-pluginprecedence: 60
# ipa-winsync, plugins, config dn: cn=ipa-winsync,cn=plugins,cn=config cn: ipa-winsync nsslapd-pluginprecedence: 60
# ipa_pwd_extop, plugins, config dn: cn=ipa_pwd_extop,cn=plugins,cn=config cn: ipa_pwd_extop nsslapd-pluginprecedence: 49
# Posix Winsync API, plugins, config dn: cn=Posix Winsync API,cn=plugins,cn=config cn: Posix Winsync API nsslapd-pluginprecedence: 25
# referential integrity postoperation, plugins, config dn: cn=referential integrity postoperation,cn=plugins,cn=config cn: referential integrity postoperation nsslapd-pluginprecedence: 40
# Retro Changelog Plugin, plugins, config dn: cn=Retro Changelog Plugin,cn=plugins,cn=config cn: Retro Changelog Plugin nsslapd-pluginprecedence: 25
# Schema Compatibility, plugins, config dn: cn=Schema Compatibility,cn=plugins,cn=config cn: Schema Compatibility nsslapd-pluginprecedence: 49 nsslapd-pluginprecedence: 40
# AES, Password Storage Schemes, plugins, config dn: cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config cn: AES nsslapd-pluginprecedence: 1
# search result search: 2 result: 0 Success
# numResponses: 9 # numEntries: 8
On ke, 30 touko 2018, Adam Bishop via FreeIPA-users wrote:
Ah ha. I think you've pointed me to the root cause - the compat plugin has 2 priority attributes!
Which is correct - 40 or 49?
It should be below ipa_pwd_extop's one, i.e. 40.
But even with that, ipa-pwd-extop reads wrong variable, so it doesn't get a rewritten bind DN pointing to the primary LDAP tree object. Instead, it reads compat tree object which doesn't have correct data it needs to use to authenticate.
Could you please open a ticket at pagure.io/freeipa and attach logs you posted here?
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # filter: (nsslapd-pluginprecedence=*) # requesting: cn nsslapd-pluginprecedence #
# IPA MODRDN, plugins, config dn: cn=IPA MODRDN,cn=plugins,cn=config cn: IPA MODRDN nsslapd-pluginprecedence: 60
# ipa-winsync, plugins, config dn: cn=ipa-winsync,cn=plugins,cn=config cn: ipa-winsync nsslapd-pluginprecedence: 60
# ipa_pwd_extop, plugins, config dn: cn=ipa_pwd_extop,cn=plugins,cn=config cn: ipa_pwd_extop nsslapd-pluginprecedence: 49
# Posix Winsync API, plugins, config dn: cn=Posix Winsync API,cn=plugins,cn=config cn: Posix Winsync API nsslapd-pluginprecedence: 25
# referential integrity postoperation, plugins, config dn: cn=referential integrity postoperation,cn=plugins,cn=config cn: referential integrity postoperation nsslapd-pluginprecedence: 40
# Retro Changelog Plugin, plugins, config dn: cn=Retro Changelog Plugin,cn=plugins,cn=config cn: Retro Changelog Plugin nsslapd-pluginprecedence: 25
# Schema Compatibility, plugins, config dn: cn=Schema Compatibility,cn=plugins,cn=config cn: Schema Compatibility nsslapd-pluginprecedence: 49 nsslapd-pluginprecedence: 40
# AES, Password Storage Schemes, plugins, config dn: cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config cn: AES nsslapd-pluginprecedence: 1
# search result search: 2 result: 0 Success
# numResponses: 9 # numEntries: 8 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
freeipa-users@lists.fedorahosted.org