<div dir="ltr">On 12 April 2013 15:51, Simon Williams <span dir="ltr"><<a href="mailto:simon.williams@thehelpfulcat.com" target="_blank">simon.williams@thehelpfulcat.com</a>></span> wrote:<br><div class="gmail_extra"> <div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p dir="ltr">I use Atlassian products, but use Crowd to provide single signon. This means that Crowd is the only application that needs to authenticate against LDAP. I found that I had to tell Crowd that the server was 389 DS. I could not get it to work set to OpenLDAP.</p> </blockquote><div><br></div><div>I had a look at crowd but it seemed like overkill when I could just point everything at FreeIPA.<br></div><div>We are a small shop so the extra queries weren't going to affect much.<br> </div><div>I tried telling my Atlaassian apps that freeipa was a 389 ds server but it refused to work properly.<br></div><div>Slightly strange considering the ldap modules for all of them are the same as the one used in crowd.<br> </div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <p dir="ltr">Regards</p><span class="HOEnZb"><font color="#888888"> <p dir="ltr">Simon</p></font></span><div class="HOEnZb"><div class="h5"> <div class="gmail_quote">On 11 Apr 2013 23:36, "Peter Brown" <<a href="mailto:rendhalver@gmail.com" target="_blank">rendhalver@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div dir="ltr">On 12 April 2013 05:04, John Dennis <span dir="ltr"><<a href="mailto:jdennis@redhat.com" target="_blank">jdennis@redhat.com</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <div>On 04/11/2013 02:47 PM, Bartek Moczulski wrote:<br> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> hi,<br> I've got a problem with using IPA as authentication source over LDAP.<br> Generally there are two approaches to LDAP authentication:<br> 1. bind using admin account and read passwords from user objects (but in<br> ipa you cannot read passwords through ldap, right?)<br> 2. "bind to authenticate" - service tries to log in to ldap with user's<br> credentials. If login is successful authentication is also succesful -<br> this approach does not work because you cannot login to IPA ldap using<br> bare username, you need a full LDAP DN.<br> </blockquote> <br></div> Most applications I know of that do "bind as user" to authenticate also permit you to specify a format string into which the user name is inserted (i.e. the format string is the dn, e.g. "uid=%u,cn=users,cn=accounts,<u></u>dc=example,dc=com") -or- they do a search to discover the dn. If you application does not support either approach it's broken IMHO.<br> </blockquote><div><br>I have used this method for Confluence, Jira, Stash, Icinga and Foreman.<br></div><div>I will be adding more applications in the future as well.<br></div><div>If the application doesn't support Kerberos it's the next best thing in my opinion.<br> I have also use it to get email lists into dovecot and postfix.<br><br></div><div>One caveat I found is you need to tell Atlassian applications that FreeIPA is a plain OpenLDAP server to get it to work.<br></div><div>Apart from that it works "out of the box" as they say.<br> <br></div><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <br> Reading passwords and/or password hashes is not supported for security reasons.<br> <br> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div> Now, I've got a 3rd party application supporting both mentioned above<br> appoaches and the question is - how to make it work with ipa?<br> <br> thanks in advance,<br> Bartek.<br> <br> <br></div><div> ______________________________<u></u>_________________<br> Freeipa-users mailing list<br> <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/<u></u>mailman/listinfo/freeipa-users</a><br> <br> </div></blockquote><span><font color="#888888"> <br> <br> -- <br> John Dennis <<a href="mailto:jdennis@redhat.com" target="_blank">jdennis@redhat.com</a>><br> <br> Looking to carve out IT costs?<br> <a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a></font></span><div><div><br> <br> ______________________________<u></u>_________________<br> Freeipa-users mailing list<br> <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/<u></u>mailman/listinfo/freeipa-users</a><br> </div></div></blockquote></div><br></div></div> <br>_______________________________________________<br> Freeipa-users mailing list<br> <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br></blockquote></div> </div></div></blockquote></div><br></div></div>