Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 568087

Summary: Solaris 10 nss passwd db not working
Product: [Retired] freeIPA Reporter: Rob Crittenden <rcritten>
Component: ipa-serverAssignee: Rob Crittenden <rcritten>
Status: CLOSED UPSTREAM QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: low    
Version: 1.2CC: benl, dpal, jgalipea
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-28 09:34:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rob Crittenden 2010-02-24 18:42:21 UTC 
Description of problem:

Reported by Andy Singleton:

I am installing IPA 1.2.2 client installation on one of our Solaris servers, and I cant seem to get the system to see the IPA users. “getent passwd” only returns local users, and no traffic is leaving the client for the IPA server for ldap.

I have followed the instructions from the documentation, but I definitely get the feeling that something is missing.

All the various configuration files are populated, and the Kerberos portion works correctly because I can obtain a ticket.

So possibly there is a problem with the nss_ldap part, or the ldap.conf itself.

Nalin and Simo diagnosed this to be a VLV problem querying cn=users,cn=accounts. If he switches to use cn=compat then getent passwd works ok.

Version-Release number of selected component (if applicable):

ipa 1.2.2
Comment 1 Rob Crittenden 2010-03-03 22:26:28 UTC 
I duplicated this with the latest Solaris 10 x86 bits (U8).

As I thought, this *is* a VLV problem.

Oddly enough something seems to have changed. My LDAP server had a VLV aci but it was set up for authenticated users only:

aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control"; allow( read
 , search, compare, proxy ) userdn = "ldap:///all";)

I'm not entirely sure where this came from. We are supposed to create an ACI that reads:

aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (compare,read,search) userdn = "ldap:///anyone"; )

A handy command to better see the problem is ldaplist. You'll actually get:

ldaplist: LDAP error (LDAP ERROR (50): Insufficient access.)

Once I replaced the ACI then getent passwd worked and all the ldaplist commands I tried worked as well (or at least as well as the data backing them in LDAP allowed).

I investigated this from an IPA v2 installation but the underlying problem seems to be the same.

The reason it works in compat is that the VLV control is ignored there (for good or bad).

So now I need to figure out where that VLV aci is coming from and why ours isn't getting installed.
Comment 2 Rob Crittenden 2010-04-01 15:36:58 UTC 
Looks like the initial attempt at this simply didn't work. The ldap:///all VLV aci gets added automatically by DS and based on the git history has been working this way for ages.

This patch should fix it up in IPA v1.2:

--- a/ipa-server/ipa-install/share/schema_compat.uldif
+++ b/ipa-server/ipa-install/share/schema_compat.uldif
@@ -48,3 +48,7 @@ default:schema-compat-entry-attribute: gidNumber=%{gidNumber}
 default:schema-compat-entry-attribute: memberUid=%{memberUid}
 default:schema-compat-entry-attribute: memberUid=%deref("member","uid")
 default:schema-compat-entry-attribute: memberUid=%referred("cn=users","memberOf","uid")
+
+# Enable anonymous VLV browsing for Solaris
+dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config 
+only:aci: '(targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, search, compare, proxy) userdn = "ldap:///anyone"; )'
--
Comment 3 Rob Crittenden 2010-04-01 17:43:24 UTC 
Patch is committed to the master branch and ipa-1-2: 3c11b71aa7169615ecb74ac0b3b513e44662c52a