[Freeipa-users] FreeIPA for AMM users management
Simo Sorce
simo at redhat.com
Thu Nov 1 21:30:58 UTC 2012
On Thu, 2012-11-01 at 17:09 -0400, Simo Sorce wrote:
> On Thu, 2012-11-01 at 15:55 -0400, Simo Sorce wrote:
> > On Thu, 2012-11-01 at 08:27 +0400, Pavel Zhukov wrote:
> > > Hi all.
> > > I'd like to use FreeIPA for AMM (advanced management module) user
> > > management using this instruction [1]. I enabled option "use DNS for
> > > find LDAP servers" and set root DN and Binding method "w/ Login
> > > Credentials" but cannot login with IPA credentials. Logs of dirsrv
> > > and kerberos are empty. DNS server works correctly.
> > >
> > > [1] - http://publib.boulder.ibm.com/infocenter/bladectr/documentation/index.jsp?topic=/com.ibm.bladecenter.advmgtmod.doc/kp1bb_bc_mmug_configldap_ADrolebasedauthen.html
> >
> > I am not sure that bind w/ Login Credentials will work properly if they
> > assume Active Directory.
> > AD has a non standard authentication method that allows to not use a DN
> > to identify a user. We do not support that authentication method.
> >
> > However you should at least see the bind attempt and an error message in
> > the dirsrv access log.
> >
> > If you do not see that then something else is broken before a bind is
> > even attempted, perhaps DNS discovery ?
>
> Ah btw, have you enabled SSL ?
> FreeIPA enforces that simple binds be done on an encrypted channel.If
> you try to bind with plain text credentials on an unencrypted channel
> FreeIPA simply returns an error.
Uhmm sorry this is not true for binds, it is true only for password
changes (and SSSD enforces auth only via SSL, but it is client side
enforcement).
Sorry for the noise.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list