[Freeipa-users] LDAP authentication for 3rd party

Rich Megginson rmeggins at redhat.com
Fri Apr 12 13:59:39 UTC 2013 

On 04/11/2013 11:58 PM, Peter Brown wrote:
> On 12 April 2013 15:51, Simon Williams 
> <simon.williams at thehelpfulcat.com 
> <mailto:simon.williams at thehelpfulcat.com>> wrote:
>
>     I use Atlassian products, but use Crowd to provide single signon.
>     This means that Crowd is the only application that needs to
>     authenticate against LDAP. I found that I had to tell Crowd that
>     the server was 389 DS. I could not get it to work set to OpenLDAP.
>
>
> I had a look at crowd but it seemed like overkill when I could just 
> point everything at FreeIPA.
> We are a small shop so the extra queries weren't going to affect much.
> I tried telling my Atlaassian apps that freeipa was a 389 ds server 
> but it refused to work properly.

Not sure what that means, exactly.  Check the 389 access logs to see 
what operations Atlassian is performing against 389.

> Slightly strange considering the ldap modules for all of them are the 
> same as the one used in crowd.
>
>     Regards
>
>     Simon
>
>     On 11 Apr 2013 23:36, "Peter Brown" <rendhalver at gmail.com
>     <mailto:rendhalver at gmail.com>> wrote:
>
>         On 12 April 2013 05:04, John Dennis <jdennis at redhat.com
>         <mailto:jdennis at redhat.com>> wrote:
>
>             On 04/11/2013 02:47 PM, Bartek Moczulski wrote:
>
>                 hi,
>                 I've got a problem with using IPA as authentication
>                 source over LDAP.
>                 Generally there are two approaches to LDAP authentication:
>                 1. bind using admin account and read passwords from
>                 user objects (but in
>                 ipa you cannot read passwords through ldap, right?)
>                 2. "bind to authenticate" - service tries to log in to
>                 ldap with user's
>                 credentials. If login is successful authentication is
>                 also succesful -
>                 this approach does not work because you cannot login
>                 to IPA ldap using
>                 bare username, you need a full LDAP DN.
>
>
>             Most applications I know of that do "bind as user" to
>             authenticate also permit you to specify a format string
>             into which the user name is inserted (i.e. the format
>             string is the dn, e.g.
>             "uid=%u,cn=users,cn=accounts,dc=example,dc=com") -or- they
>             do a search to discover the dn. If you application does
>             not support either approach it's broken IMHO.
>
>
>         I have used this method for Confluence, Jira, Stash, Icinga
>         and Foreman.
>         I will be adding more applications in the future as well.
>         If the application doesn't support Kerberos it's the next best
>         thing in my opinion.
>         I have also use it to get email lists into dovecot and postfix.
>
>         One caveat I found is you need to tell Atlassian applications
>         that FreeIPA is a plain OpenLDAP server to get it to work.
>         Apart from that it works "out of the box" as they say.
>
>
>
>             Reading passwords and/or password hashes is not supported
>             for security reasons.
>
>                 Now, I've got a 3rd party application supporting both
>                 mentioned above
>                 appoaches and the question is - how to make it work
>                 with ipa?
>
>                 thanks in advance,
>                 Bartek.
>
>
>                 _______________________________________________
>                 Freeipa-users mailing list
>                 Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>                 https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>             -- 
>             John Dennis <jdennis at redhat.com <mailto:jdennis at redhat.com>>
>
>             Looking to carve out IT costs?
>             www.redhat.com/carveoutcosts/
>             <http://www.redhat.com/carveoutcosts/>
>
>
>             _______________________________________________
>             Freeipa-users mailing list
>             Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>             https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>         _______________________________________________
>         Freeipa-users mailing list
>         Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>         https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130412/d89b000c/attachment.htm>

More information about the Freeipa-users mailing list