[Freeipa-users] LDAP authentication for 3rd party
John Dennis
jdennis at redhat.com
Thu Apr 11 19:04:38 UTC 2013
On 04/11/2013 02:47 PM, Bartek Moczulski wrote:
> hi,
> I've got a problem with using IPA as authentication source over LDAP.
> Generally there are two approaches to LDAP authentication:
> 1. bind using admin account and read passwords from user objects (but in
> ipa you cannot read passwords through ldap, right?)
> 2. "bind to authenticate" - service tries to log in to ldap with user's
> credentials. If login is successful authentication is also succesful -
> this approach does not work because you cannot login to IPA ldap using
> bare username, you need a full LDAP DN.
Most applications I know of that do "bind as user" to authenticate also
permit you to specify a format string into which the user name is
inserted (i.e. the format string is the dn, e.g.
"uid=%u,cn=users,cn=accounts,dc=example,dc=com") -or- they do a search
to discover the dn. If you application does not support either approach
it's broken IMHO.
Reading passwords and/or password hashes is not supported for security
reasons.
> Now, I've got a 3rd party application supporting both mentioned above
> appoaches and the question is - how to make it work with ipa?
>
> thanks in advance,
> Bartek.
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list