[Freeipa-users] LDAP authentication for 3rd party

Peter Brown rendhalver at gmail.com
Mon Apr 15 23:14:47 UTC 2013 

On 12 April 2013 23:59, Rich Megginson <rmeggins at redhat.com> wrote:

>  On 04/11/2013 11:58 PM, Peter Brown wrote:
>
> On 12 April 2013 15:51, Simon Williams <simon.williams at thehelpfulcat.com>wrote:
>
>> I use Atlassian products, but use Crowd to provide single signon. This
>> means that Crowd is the only application that needs to authenticate against
>> LDAP. I found that I had to tell Crowd that the server was 389 DS. I could
>> not get it to work set to OpenLDAP.
>>
>
>  I had a look at crowd but it seemed like overkill when I could just
> point everything at FreeIPA.
>  We are a small shop so the extra queries weren't going to affect much.
>  I tried telling my Atlaassian apps that freeipa was a 389 ds server but
> it refused to work properly.
>
>
> Not sure what that means, exactly.  Check the 389 access logs to see what
> operations Atlassian is performing against 389.
>

I don't remember the exact error and they get used every day and they work
as is so I will have to wait for an update to switch it over to see what
errors it produces.


>
>
>   Slightly strange considering the ldap modules for all of them are the
> same as the one used in crowd.
>
>
>> Regards
>>
>> Simon
>>   On 11 Apr 2013 23:36, "Peter Brown" <rendhalver at gmail.com> wrote:
>>
>>> On 12 April 2013 05:04, John Dennis <jdennis at redhat.com> wrote:
>>>
>>>> On 04/11/2013 02:47 PM, Bartek Moczulski wrote:
>>>>
>>>>> hi,
>>>>> I've got a problem with using IPA as authentication source over LDAP.
>>>>> Generally there are two approaches to LDAP authentication:
>>>>> 1. bind using admin account and read passwords from user objects (but
>>>>> in
>>>>> ipa you cannot read passwords through ldap, right?)
>>>>> 2. "bind to authenticate" - service tries to log in to ldap with user's
>>>>> credentials. If login is successful authentication is also succesful -
>>>>> this approach does not work because you cannot login to IPA ldap using
>>>>> bare username, you need a full LDAP DN.
>>>>>
>>>>
>>>>  Most applications I know of that do "bind as user" to authenticate
>>>> also permit you to specify a format string into which the user name is
>>>> inserted (i.e. the format string is the dn, e.g.
>>>> "uid=%u,cn=users,cn=accounts,dc=example,dc=com") -or- they do a search to
>>>> discover the dn. If you application does not support either approach it's
>>>> broken IMHO.
>>>>
>>>
>>> I have used this method for Confluence, Jira, Stash, Icinga and Foreman.
>>>  I will be adding more applications in the future as well.
>>>  If the application doesn't support Kerberos it's the next best thing
>>> in my opinion.
>>> I have also use it to get email lists into dovecot and postfix.
>>>
>>>  One caveat I found is you need to tell Atlassian applications that
>>> FreeIPA is a plain OpenLDAP server to get it to work.
>>>  Apart from that it works "out of the box" as they say.
>>>
>>>
>>>
>>>>
>>>> Reading passwords and/or password hashes is not supported for security
>>>> reasons.
>>>>
>>>>  Now, I've got a 3rd party application supporting both mentioned above
>>>>> appoaches and the question is - how to make it work with ipa?
>>>>>
>>>>> thanks in advance,
>>>>> Bartek.
>>>>>
>>>>>
>>>>>  _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>
>>>>>
>>>>
>>>> --
>>>> John Dennis <jdennis at redhat.com>
>>>>
>>>> Looking to carve out IT costs?
>>>> www.redhat.com/carveoutcosts/
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>
>
>
> _______________________________________________
> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130416/cffbccab/attachment.htm>

More information about the Freeipa-users mailing list