[Freeipa-users] LDAP authentication for 3rd party
Rich Megginson
rmeggins at redhat.com
Fri Apr 12 13:59:39 UTC 2013
On 04/11/2013 11:58 PM, Peter Brown wrote:
> On 12 April 2013 15:51, Simon Williams
> <simon.williams at thehelpfulcat.com
> <mailto:simon.williams at thehelpfulcat.com>> wrote:
>
> I use Atlassian products, but use Crowd to provide single signon.
> This means that Crowd is the only application that needs to
> authenticate against LDAP. I found that I had to tell Crowd that
> the server was 389 DS. I could not get it to work set to OpenLDAP.
>
>
> I had a look at crowd but it seemed like overkill when I could just
> point everything at FreeIPA.
> We are a small shop so the extra queries weren't going to affect much.
> I tried telling my Atlaassian apps that freeipa was a 389 ds server
> but it refused to work properly.
Not sure what that means, exactly. Check the 389 access logs to see
what operations Atlassian is performing against 389.
> Slightly strange considering the ldap modules for all of them are the
> same as the one used in crowd.
>
> Regards
>
> Simon
>
> On 11 Apr 2013 23:36, "Peter Brown" <rendhalver at gmail.com
> <mailto:rendhalver at gmail.com>> wrote:
>
> On 12 April 2013 05:04, John Dennis <jdennis at redhat.com
> <mailto:jdennis at redhat.com>> wrote:
>
> On 04/11/2013 02:47 PM, Bartek Moczulski wrote:
>
> hi,
> I've got a problem with using IPA as authentication
> source over LDAP.
> Generally there are two approaches to LDAP authentication:
> 1. bind using admin account and read passwords from
> user objects (but in
> ipa you cannot read passwords through ldap, right?)
> 2. "bind to authenticate" - service tries to log in to
> ldap with user's
> credentials. If login is successful authentication is
> also succesful -
> this approach does not work because you cannot login
> to IPA ldap using
> bare username, you need a full LDAP DN.
>
>
> Most applications I know of that do "bind as user" to
> authenticate also permit you to specify a format string
> into which the user name is inserted (i.e. the format
> string is the dn, e.g.
> "uid=%u,cn=users,cn=accounts,dc=example,dc=com") -or- they
> do a search to discover the dn. If you application does
> not support either approach it's broken IMHO.
>
>
> I have used this method for Confluence, Jira, Stash, Icinga
> and Foreman.
> I will be adding more applications in the future as well.
> If the application doesn't support Kerberos it's the next best
> thing in my opinion.
> I have also use it to get email lists into dovecot and postfix.
>
> One caveat I found is you need to tell Atlassian applications
> that FreeIPA is a plain OpenLDAP server to get it to work.
> Apart from that it works "out of the box" as they say.
>
>
>
> Reading passwords and/or password hashes is not supported
> for security reasons.
>
> Now, I've got a 3rd party application supporting both
> mentioned above
> appoaches and the question is - how to make it work
> with ipa?
>
> thanks in advance,
> Bartek.
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> --
> John Dennis <jdennis at redhat.com <mailto:jdennis at redhat.com>>
>
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
> <http://www.redhat.com/carveoutcosts/>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130412/d89b000c/attachment.htm>
More information about the Freeipa-users
mailing list