[Freeipa-users] LDAP authentication for 3rd party
Simo Sorce
simo at redhat.com
Thu Apr 11 23:27:11 UTC 2013
On Thu, 2013-04-11 at 14:59 -0400, Rob Crittenden wrote:
> Bartek Moczulski wrote:
> > hi,
> > I've got a problem with using IPA as authentication source over LDAP.
> > Generally there are two approaches to LDAP authentication:
> > 1. bind using admin account and read passwords from user objects (but in
> > ipa you cannot read passwords through ldap, right?)
> > 2. "bind to authenticate" - service tries to log in to ldap with user's
> > credentials. If login is successful authentication is also succesful -
> > this approach does not work because you cannot login to IPA ldap using
> > bare username, you need a full LDAP DN.
> >
> > Now, I've got a 3rd party application supporting both mentioned above
> > appoaches and the question is - how to make it work with ipa?
> >
> > thanks in advance,
>
> We won't do #1. In our opinion it is insecure to share password hashes.
>
> For #2 AFAIK LDAP simple bind requires a DN. Typically the app does a
> search on the uid, gets the DN, then attempts a bind.
>
> I'd be curious to know what LDAP servers your 3rd party app is certified
> against.
Ad supports simple binds with a username instead of a DN ... yeah not
standard but we might want to support it, we have a pre-bind plugin
after all, so we could if we want to, just a matter of creating a RFE
ticket.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list