Alexander Bokovoy via FreeIPA-users wrote:
On ma, 12 marras 2018, Tobi Berninger via FreeIPA-users wrote:
> hey,
> i just tried to add an new user as described in the howto/ldap from
> freeipa. and the console doenst show any errors,
> but when i try to use that user as an bind user - it wont work at all.
> Maybe something bigger isnt work?
> this is the bind settings i use in zammad:
> dc=int,dc=asta-frankfurt,dc=de
> uid=system4,cn=users,cn=accounts,dc=int,dc=asta-frankfurt,dc=de
> this it eh log when i try:
> [12/Nov/2018:12:56:12.367897702 +0100] conn=5 op=117374 RESULT err=0
> tag=101 nentries=1 etime=0.0000079172
> [12/Nov/2018:12:56:12.368072341 +0100] conn=5 op=117375 MOD dn="fqdn=
> radius.int.asta-frankfurt.de
> ,cn=computers,cn=accounts,dc=int,dc=asta-frankfurt,dc=de"
> [12/Nov/2018:12:56:12.370654530 +0100] conn=5 op=117375 RESULT err=0
> tag=103 nentries=0 etime=0.0002612503 csn=5be96b5fa6f300040000
> [12/Nov/2018:12:56:12.372265034 +0100] conn=74960 op=1 UNBIND
> [12/Nov/2018:12:56:12.372279026 +0100] conn=74960 op=1 fd=146 closed - U1
> [12/Nov/2018:12:56:15.498614694 +0100] conn=74961 fd=146 slot=146 SSL
> connection from 10.8.0.1 to 10.8.0.6
> [12/Nov/2018:12:56:15.531133872 +0100] conn=74961 TLS1.2 256-bit AES-GCM
> [12/Nov/2018:12:56:15.558425764 +0100] conn=74961 op=0 BIND
> dn="uid=system4,cn=users,cn=accounts,dc=int,dc=asta-frankfurt,dc=de"
> method=128 version=3
> [12/Nov/2018:12:56:15.558859253 +0100] conn=74961 op=0 RESULT err=48
> tag=97
> nentries=0 etime=0.0059811400
> [12/Nov/2018:12:56:15.586313574 +0100] conn=74961 op=-1 fd=146 closed
> - B1
>
> with that change in setting binding isnt working at all,
> when i change back to the system3 (the account i am also using for
> nextcloud) it is working fine, when i try it with an normal user also no
> problems
Can you show what attributes it tries to retrieve? I think the core of
the issue is two-fold: there was a regression bug in 389-ds that applied
anonymous
user rights in doing ACI evaluation sometimes. I need to see what
attributes are requested to see which ACIs are affected.
I'd guess that a default LDAP bind user has little to no read rights
except to cn=compat.
rob
>
>
> Am Mo., 12. Nov. 2018 um 09:56 Uhr schrieb Alexander Bokovoy <
> abokovoy(a)redhat.com>:
>
>> On ma, 12 marras 2018, Tobi Berninger via FreeIPA-users wrote:
>> >Hey,
>> >i have an freeipa 4.5.4 on an Centos 7 up and running.
>> >I allready binded that ipa trough an ldap on an nextcloud installation.
>> >Now i try to do the same with an zammad. Sadly it doesnt offers me the
>> >right fields (first name, last name, mail and many more are missing)
>> >I set up an extra ldap sysaccount just for that reason, as it was
>> described
>> >here:
https://www.freeipa.org/page/HowTo/LDAP
>> >
>> >Any ideas what i was doing wrong?
>> >
>> >Others users in the zammad forum told me that zammad is offering
>> them the
>> >fields i need, so i am quite convinced that the error is in an
>> >missconfiguration on my side. Sadly i didnt set the server up, i
>> just try
>> >to keep it running.
>> It would be good to see what you did exactly.
>>
>> Can you show which fields you are trying to access and what is the
>> sysaccount entry?
>>
>> Can you show what searches are done by zammad in the
>> /var/log/dirsrv/slapd-<INSTANCE-NAME>/access log? You can find them by
>> the connection which starts by binding as your sysaccount. It should
>> look something like below. I used admin user to do the search but it
>> should not matter in terms of how things a logged. You need logs for the
>> same connection (conn=<number>).
>>
>> [12/Nov/2018:10:51:11.951508884 +0200] conn=1098 fd=93 slot=93 SSL
>> connection from 192.168.100.180 to 192.168.100.180
>> [12/Nov/2018:10:51:11.959543784 +0200] conn=1098 TLS1.3 128-bit AES-GCM
>> [12/Nov/2018:10:51:11.959795901 +0200] conn=1098 op=0 BIND
>> dn="uid=admin,cn=users,cn=accounts,dc=h,dc=example,dc=com" method=128
>> version=3
>> [12/Nov/2018:10:51:12.034886792 +0200] conn=1098 op=0 RESULT err=0
>> tag=97
>> nentries=0 etime=0.1916669164
>> dn="uid=admin,cn=users,cn=accounts,dc=example,dc=com"
>> [12/Nov/2018:10:51:12.035585653 +0200] conn=1098 op=1 SRCH
>> base="dc=h,dc=example,dc=com" scope=2 filter="(uid=admin)"
attrs=ALL
>> [12/Nov/2018:10:51:12.037307748 +0200] conn=1098 op=1 RESULT err=0
>> tag=101
>> nentries=1 etime=0.0001826480
>> [12/Nov/2018:10:51:12.039934460 +0200] conn=1098 op=2 UNBIND
>> [12/Nov/2018:10:51:12.039960936 +0200] conn=1098 op=2 fd=93 closed - U1
>>
>>
>> >
>> >Thank u all for ur help and i apoligze for my english...
>>
>> >_______________________________________________
>> >FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> >To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>> >Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
>> >List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> >List Archives:
>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>
>>
>>
>> --
>> / Alexander Bokovoy
>> Sr. Principal Software Engineer
>> Security / Identity Management Engineering
>> Red Hat Limited, Finland
>>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>