FreeIPA ldap error creating groups

[jvinolas]

When using it agains FreeIPA ldap it throws errors at creating groups. I firstly though it was about the FORCE_RFC2307BIS envvar and tried also forcing as with autodetection it said "The RFC2307BIS schema doesn't appear to be available.".

I've checked the schema used in FreeIPA and states that it its RFC2307BIS: https://www.freeipa.org/page/Directory_Server

Schema Compatibility: publishes an alternate trees containing a computed different view on objects in the DS. For instance, as FreeIPA stores users using RFC 2307bis schema, it publishes alternate tree cn=users,cn=compat,dc=example,dc=com with users in a RFC 2307 schema. It is also used by Trusts feature to allow Active Directory users access legacy system without a recent SSSD version.

But something is failing when creating groups:

Any hint on this?

[wheelybird]

Hi. The user manager is designed to work with OpenLDAP. FreeIPA uses the 389 Directory Server for LDAP. In theory the user manager could work with the 389 Directory Server (it's LDAPv3 compatible) though who knows how FreeIPA sets everything up?

If you enable debugging in the logs there might be more information on why creating the groups failed. Set LDAP_DEBUG and LDAP_VERBOSE_CONNECTION_LOGS to TRUE. Be aware that if you choose to post them here you should redact any sensitive outputs such as password.s

[jvinolas]

After restarting I see that the groups have been created but fails at user admin creation.

It looks to me that it is a passwd hash algorithm mismatch as I see this in the logs:

res_errno: 19, res_error: <pre-hashed passwords are not valid , res_matched: <>

Added the the parsed log:

ldap-user-manager.log

[wheelybird]

Ah. Well you could try setting PASSWORD_HASH to CLEAR and see if that does the trick.

[jvinolas]

Great! It was that! Thanks.