[Freeipa-users] Re: LDAP - Zammad -> not offering all fields

On ma, 12 marras 2018, Tobi Berninger via FreeIPA-users wrote: > hey, > i just tried to add an new user as described in the howto/ldap from > freeipa. and the console doenst show any errors, > but when i try to use that user as an bind user - it wont work at all. > Maybe something bigger isnt work? > this is the bind settings i use in zammad: > dc=int,dc=asta-frankfurt,dc=de > uid=system4,cn=users,cn=accounts,dc=int,dc=asta-frankfurt,dc=de > this it eh log when i try: > [12/Nov/2018:12:56:12.367897702 +0100] conn=5 op=117374 RESULT err=0 > tag=101 nentries=1 etime=0.0000079172 > [12/Nov/2018:12:56:12.368072341 +0100] conn=5 op=117375 MOD dn="fqdn= > radius.int.asta-frankfurt.de > ,cn=computers,cn=accounts,dc=int,dc=asta-frankfurt,dc=de" > [12/Nov/2018:12:56:12.370654530 +0100] conn=5 op=117375 RESULT err=0 > tag=103 nentries=0 etime=0.0002612503 csn=5be96b5fa6f300040000 > [12/Nov/2018:12:56:12.372265034 +0100] conn=74960 op=1 UNBIND > [12/Nov/2018:12:56:12.372279026 +0100] conn=74960 op=1 fd=146 closed - U1 > [12/Nov/2018:12:56:15.498614694 +0100] conn=74961 fd=146 slot=146 SSL > connection from 10.8.0.1 to 10.8.0.6 > [12/Nov/2018:12:56:15.531133872 +0100] conn=74961 TLS1.2 256-bit AES-GCM > [12/Nov/2018:12:56:15.558425764 +0100] conn=74961 op=0 BIND > dn="uid=system4,cn=users,cn=accounts,dc=int,dc=asta-frankfurt,dc=de" > method=128 version=3 > [12/Nov/2018:12:56:15.558859253 +0100] conn=74961 op=0 RESULT err=48 > tag=97 > nentries=0 etime=0.0059811400 > [12/Nov/2018:12:56:15.586313574 +0100] conn=74961 op=-1 fd=146 closed > - B1 > > with that change in setting binding isnt working at all, > when i change back to the system3 (the account i am also using for > nextcloud) it is working fine, when i try it with an normal user also no > problems Can you show what attributes it tries to retrieve? I think the core of the issue is two-fold: there was a regression bug in 389-ds that applied anonymous user rights in doing ACI evaluation sometimes. I need to see what attributes are requested to see which ACIs are affected.

> > > Am Mo., 12. Nov. 2018 um 09:56 Uhr schrieb Alexander Bokovoy < > abokovoy(a)redhat.com&gt;: > >> On ma, 12 marras 2018, Tobi Berninger via FreeIPA-users wrote: >> >Hey, >> >i have an freeipa 4.5.4 on an Centos 7 up and running. >> >I allready binded that ipa trough an ldap on an nextcloud installation. >> >Now i try to do the same with an zammad. Sadly it doesnt offers me the >> >right fields (first name, last name, mail and many more are missing) >> >I set up an extra ldap sysaccount just for that reason, as it was >> described >> >here: https://www.freeipa.org/page/HowTo/LDAP >> > >> >Any ideas what i was doing wrong? >> > >> >Others users in the zammad forum told me that zammad is offering >> them the >> >fields i need, so i am quite convinced that the error is in an >> >missconfiguration on my side. Sadly i didnt set the server up, i >> just try >> >to keep it running. >> It would be good to see what you did exactly. >> >> Can you show which fields you are trying to access and what is the >> sysaccount entry? >> >> Can you show what searches are done by zammad in the >> /var/log/dirsrv/slapd-<INSTANCE-NAME>/access log? You can find them by >> the connection which starts by binding as your sysaccount. It should >> look something like below. I used admin user to do the search but it >> should not matter in terms of how things a logged. You need logs for the >> same connection (conn=<number>). >> >> [12/Nov/2018:10:51:11.951508884 +0200] conn=1098 fd=93 slot=93 SSL >> connection from 192.168.100.180 to 192.168.100.180 >> [12/Nov/2018:10:51:11.959543784 +0200] conn=1098 TLS1.3 128-bit AES-GCM >> [12/Nov/2018:10:51:11.959795901 +0200] conn=1098 op=0 BIND >> dn="uid=admin,cn=users,cn=accounts,dc=h,dc=example,dc=com" method=128 >> version=3 >> [12/Nov/2018:10:51:12.034886792 +0200] conn=1098 op=0 RESULT err=0 >> tag=97 >> nentries=0 etime=0.1916669164 >> dn="uid=admin,cn=users,cn=accounts,dc=example,dc=com" >> [12/Nov/2018:10:51:12.035585653 +0200] conn=1098 op=1 SRCH >> base="dc=h,dc=example,dc=com" scope=2 filter="(uid=admin)" attrs=ALL >> [12/Nov/2018:10:51:12.037307748 +0200] conn=1098 op=1 RESULT err=0 >> tag=101 >> nentries=1 etime=0.0001826480 >> [12/Nov/2018:10:51:12.039934460 +0200] conn=1098 op=2 UNBIND >> [12/Nov/2018:10:51:12.039960936 +0200] conn=1098 op=2 fd=93 closed - U1 >> >> >> > >> >Thank u all for ur help and i apoligze for my english... >> >> >_______________________________________________ >> >FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org >> >To unsubscribe send an email to >> freeipa-users-leave(a)lists.fedorahosted.org >> >Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> >List Archives: >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >> >> >> >> -- >> / Alexander Bokovoy >> Sr. Principal Software Engineer >> Security / Identity Management Engineering >> Red Hat Limited, Finland >> > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to > freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >