On ke, 30 touko 2018, Adam Bishop via FreeIPA-users wrote:
That's fine, the directory is fairly low traffic so the
performance drop isn't a problem for us.
This is the log snippet relating to a password + token - the compat plugin matches the DN,
but pwd-extop reports that the DN isn't found?
[30/May/2018:13:13:14.793612423 +0000] - DEBUG - schema-compat-plugin - searching from
"cn=compat,dc=virt,dc=ja,dc=net" for "(uid=adamb)" with scope 2 (sub)
[30/May/2018:13:13:14.798987398 +0000] - DEBUG - schema-compat-plugin - search matched
uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net
[30/May/2018:13:13:14.806900240 +0000] - DEBUG - cos-plugin - cos_cache_query_attr - cos
attribute krbPwdPolicyReference failed schema check on dn:
uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net
[30/May/2018:13:13:14.808973889 +0000] - DEBUG - schema-compat-plugin - sending error 0
[30/May/2018:13:13:14.814889099 +0000] - DEBUG - ipa-pwd-extop - failed to retrieve user
entry: uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net
[30/May/2018:13:13:14.817384965 +0000] - DEBUG - ipa-lockout-plugin - preop returning 0:
success
A successful bind (password only) results in the same error log entries.
Interesting. Can you show me output from
# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-VIRT-JA-NET.socket -b cn=config
'(nsslapd-pluginprecedence=*)' cn nsslapd-pluginprecedence
as root?
This would give me list of DS plugins loaded and their precedence.
Looks like it is a mis-coordination between ipa-pwd-extop and
schema-compat.
Schema compat plugin sets SLAPI_BIND_TARGET_SDN but ipa-pwd-extop reads
SLAPI_BIND_TARGET. I remember we were asked to use _SDN version by
389-ds developers at some point. Looking at other FreeIPA plugins, I see
they only use SLAPI_BIND_TARGET and not _SDN variant, so there is
definitely a mismatch.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland