I'll bump this, because Mr. Bokovoy mentioned here ->
the "slapi-nis plugin does not support paged results control for the
virtual subtree." and elaborated that they were working on rebasing it to
another 389-ds instance on the back end. Compat ALMOST works for vCenter
6.5, but without the paged lookup, it dies. Any idea when this change might
I'm trying to migrate our openldap users to freeipa by running
ipa -v migrate-ds \
ldap://ldap.example.com:389 --schema=RFC2307bis \
but I'm getting this error on each user:
ysl: missing attribute "sn" required by object class "person"
I found this thread which seems to have a solution but that solution doesn't work for me, I guess because I'm using the current docker version.
Is there anyone out there who could help me to apply the fix mentioned in the thread? Or is there anyone who has another solution?
I send you this mail because I have sometimes errors "Cannot contact any
KDC for realm". When I retry it works fine. So this error is kind of random.
I'm using Freeipa 3.0 in RHEL6.6 with sssd.
I was wondering how to investigate this kind of error ?
May I monitore some KPI from the KDC or check from logs ? Do you know which
kind of logs I can check ?
Thank you in advance for your help.
Thanks for your reminding.
One more question, can we set the krb5.conf location to a different path? The default is /etc/krb5.conf, can we change it to a different path?
----- 原始邮件 -----
发件人：Alexander Bokovoy via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
收件人：michael_ly(a)sina.cn, FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
抄送人：Alexander Bokovoy <abokovoy(a)redhat.com>
主题：[Freeipa-users] Re: Can we install LDAP only
On to, 26 heinä 2018, None via FreeIPA-users wrote:
>Can we only install LDAP related components, with Kerberos? How?
Do you mean you want LDAP server only? LDAP server with Kerberos KDC?
LDAP server without Kerberos KDC?
FreeIPA is an integrated solution, so you cannot install separate
components alone. If you need LDAP only, FreeIPA is not a best solution
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://email@example.com...
> From: Jakub Hrozek <jhrozek(a)redhat.com>
> Are you sure sssd is not logging you offline?
> sssctl domain-status can tell you the status of the domains..
Yes, I sure.
I tried to login in ipa server and client.
I could with old password, but coludn't with new.
sssctl domain-status start-line.local
Online status: Online
AD Global Catalog: ad.start-line.local
AD Domain Controller: ad2.start-line.local
Discovered AD Global Catalog servers:
Discovered AD Domain Controller servers:
Discovered IPA servers:
С уважением, Николай.
we have a setup with a Forest Trust to an AD Domain.
Everything looks good on the FreeIPA Servers itself. We can see User information if we do "getent passwd user(a)ad.domain" or "id user(a)ad.domain" or "sssctl user-checks user(a)ad.domain".
But on a connected client, we get only the user of the ipa domain and no user information on ad user.
In the logs, we found no obvious error.
The only thing we see in sssd.log is:
(Tue Jul 10 16:19:27 2018) [sssd[be[ipa.domain]]] [delayed_online_authentication_callback] (0x0200): Backend is online, starting delayed online authentication.
(Tue Jul 10 16:19:28 2018) [sssd[be[ipa.domain]]] [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][name=user(a)ad.domain]
(Tue Jul 10 16:19:28 2018) [sssd[be[ipa.domain]]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null).
(Tue Jul 10 16:19:28 2018) [sssd[be[ipa.domain]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.