Thank you.
Without getting too much into the weeds, I've had an ongoing conversation for quite
some time with some support folks who are trying to help me troubleshoot why we've
been unable to get authentication working - as of yet - on RHEL 6 clients, when RHEL 7
works perfectly fine.
The support team asked me to run that query and provide stdout, but as of yet, I've
been unable to get it to work, due to the failed credentials.
Your explanation makes a lot of sense.
Due to the limitations of sssd in RHEL 6 and how sssd integrates with an IPA installation
that has a trust back to AD, I'm aware that there's some differences in how the
client gets configured.
I think some of the limitations we're running into are also related to our firewall
flows and that we're using KdcProxy features on the IdM servers to proxy all Kerberos
requests to AD through the IPA servers.
I've sent this email thread over to our (new) technical account manager, and we'll
continue to work together towards a resolution.
On 8/4/20, 10:42 AM, "Alexander Bokovoy" <abokovoy(a)redhat.com> wrote:
On ti, 04 elo 2020, White, David via FreeIPA-users wrote:
We have a IPA environment that has an existing trust with Active
Directory.
I'm trying to troubleshoot some things, and am trying to run a `ldapsearch` against
our IPA environment.
It keeps asking for an LDAP Bind password.
1. I know the Directory Admin password
2. I know the local 'admin' password to get into the UI as the "admin"
userÂ
3. I know my own Active Directory password.
None of these passwords are working.
[root@cha-cop-lab-mgt-ath-001 whitedm]# ldapsearch -ZZ -H
ldap://ipa-hostname-001.lab.example.net -b
'cn=compat,dc=fiberlab,dc=example,dc=net' -D 'cn=whitedm' -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
I recall setting up the LDAP password on the initial install of the IPA software when
these servers were first launched.
How can I reset this LDAP password?
What are you trying to achieve here? You are using compat tree which is
a read-only dynamic view on some content provided elsewhere.
You are using your own account RDN but ldapsearch wants your DN for
bind, not RDN. Your DN depends on what you want to authenticate with --
if this is your AD user, then you need to use a compat tree DN for
uid=whitedm@ad.domain,cn=users,cn=compat,dc=....
if this is your IPA user, then you need to use your IPA user DN, e.g.
uid=admin,cn=users,cn=accounts,dc=...
if this is Directory Manager, then DN is 'cn=Directory Manager'. It
looks like RDN but that's a virtual object which don't exist anywhere
and is treated by 389-ds in a special way.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland