2.8. Authentication
- Identity Management component
- When transitioning to a fully supported Identity Management version in Red Hat Enterprise Linux 6.2, uninstall any previous beta version of Identity Management or Technology Preview parts of Red Hat Enterprise Identity (IPA) available in the Red Hat Enterprise Linux 6.1 Technology Preview and install Identity Management again.
- Identity Management component
- When an Identity Management server is installed with a custom hostname that is not resolvable, the
ipa-server-install
command should add a record to the static hostname lookup table in/etc/hosts
and enable further configuration of Identity Management integrated services. However, a record is not added to/etc/hosts
when an IP address is passed as an CLI option and not interactively. Consequently, Identity Management installation fails because integrated services that are being configured expect the Identity Management server hostname to be resolvable. To work around this issue, complete one of the following:- Run the
ipa-server-install
without the--ip-address
option and pass the IP address interactively. - Add a record to
/etc/hosts
before the installation is started. The record should contain the Identity Management server IP address and its full hostname (thehosts(5)
man page specifies the record format).
As a result, the Identity Management server can be installed with a custom hostname that is not resolvable. sssd
component, BZ#750922- Upgrading SSSD from the version provided in Red Hat Enterprise Linux 6.1 to the version shipped with Red Hat Enterprise Linux 6.2 may fail due to a bug in the dependent library
libldb
. This failure occurs when the SSSD cache contains internal entries whose distinguished name contains the\,
character sequence. The most likely example of this is for an invalidmemberUID
entry to appear in an LDAP group of the form:memberUID: user1,user2
memberUID
is a multi-valued attribute and should not have multiple users in the same attribute.If the upgrade issue occurs, identifiable by the following debug log message:(Wed Nov 2 15:18:21 2011) [sssd] [ldb] (0): A transaction is still active in ldb context [0xaa0460] on /var/lib/sss/db/cache_<DOMAIN>.ldb
remove the/var/lib/sss/db/cache_<DOMAIN>.ldb
file and restart SSSD.Warning
Removing the/var/lib/sss/db/cache_<DOMAIN>.ldb
file purges the cache of all entries (including cached credentials). sssd
component, BZ#751314- When a group contains certain incorrect multi-valued
memberUID
values, SSSD fails to sanitize the values properly. ThememberUID
value should only contain one username. As a result, SSSD creates incorrect users, using the brokenmemberUID
values as their usernames. This, for example, causes problems during cache indexing. - Identity Management component, BZ#750596
- Two Identity Management servers, both with a CA (Certificate Authority) installed, use two replication replication agreements. One is for user, group, host, and other related data. Another replication agreement is established between the CA instances installed on the servers. If the CA replication agreement is broken, the Identity Management data is still shared between the two servers, however, because there is no replication agreement between the two CAs, issuing a certificate on one server will cause the other server to not recognize that certificate, and vice versa.
- Identity Management component
- The Identity Management (ipa) package cannot be build with a
6ComputeNode
subscription. - Identity Management component
- On the configuration page of the Identity Management WebUI, if the User search field is left blank, and the button is clicked, an internal error is returned.
sssd
component, BZ#741264- Active Directory performs certain LDAP referral-chasing that is incompatible with the referral mechanism included in the openldap libraries. Notably, Active Directory sometimes attempts to return a referral on an LDAP bind attempt, which used to cause a hang, and is now denied by the openldap libraries. As a result, SSSD may suffer from performance issues and occasional failures resulting in missing information.To work around this issue, disable referral-chasing by setting the following parameter in the
[domain/DOMAINNAME]
section of the/etc/sssd/sssd.conf
file:ldap_referrals = false