[Freeipa-users] FreeIPA for AMM users management

Petr Spacek pspacek at redhat.com
Wed Feb 27 09:31:05 UTC 2013 

On 27.2.2013 04:07, Артур Файзуллин wrote:
> Ok! I will try :) but would you give me some advice :) what configs to
> put. should I use:

Well, we don't know anything about AAM. This is freeipa-users list :-)

We can try to give you some advices if you provide links to documentation for 
exact AAM version you use.

My best guess (without looking to AAM docs):

> * "Use LDAP Servers for Authentication and Authorization"
Probably yes.

> * "Use DNS to find LDAP Servers"
> 	and put here domain name if IPA-server?
Probably yes.

> * should in "Active Directory Settings" Enhanced role-based security be
> enabled?
I would disable any AD specific things (at least for the beginning).

 > And what means AMM Target Name?
I don't have an idea. Please consult AAM docs.

> * root dn = something like this dc=example,dc=com ?
Question is what "root" means in IBM's world. FreeIPA domain "example.com" has 
root of LDAP tree at "dc=example,dc=com". You can try also 
"cn=users,cn=compat,dc=example,dc=com" and 
"cn=users,cn=accounts,dc=ecample,dc=com".

> * Binding method which one to choose?
> 	w/ Configured Credentials
I guess: This method will use special account created specifically for AAM.

> 	w/ Login Credentials
I guess: This method will try to do LDAP BIND with credentials provided by 
user for particular login attempt. I would prefer this method.

> Some questions may be stupid, but I want to be sure in them :)

I really don't know AAM specifics. Please read all AAM's documentation you 
find and try various settings. We can provide general advices and publish your 
findings on freeipa.org.

Any contributions welcome!

Petr^2 Spacek

> В Вт., 26/02/2013 в 12:41 +0100, Petr Spacek пишет:
>> On 26.2.2013 11:49, Артур Файзуллин wrote:
>>> And what?
>>> Is there any result? I try same thing with my AMM and IPA
>>
>> Unfortunately, we don't have sufficient information to give you any advice.
>>
>> Please, try to provide output from a sniffer as I asked in last reply. Then we
>> will try to help you. (You can send the data to me privately, if you want.)
>>
>> Petr^2 Spacek
>>
>>> В Пн., 05/11/2012 в 09:32 +0100, Petr Spacek пишет:
>>>> On 11/03/2012 01:12 PM, Pavel Zhukov wrote:
>>>>>> Can you do NS lookup of the IPA server from the AMM box?
>>>>> yes
>>>>>> Can you do kinit from the AMM box against IPA?
>>>>>> Can you do ldapsearch from the AMM box against IPA?
>>>>> no, AMM has restricted shell and web GUI.
>>>>
>>>> Hmm, that is unfortunate. Can you run tcpdump (or sniffer provided on AMM) on
>>>> the link between AMM and IPA server? Because there are no records in access
>>>> log I will bet on some name resolution or firewall problem.
>>>>
>>>> Do AMM get right DNS responses (i.e. name and IP address of the IPA server)?
>>>>
>>>> Do AMM established TCP connection with the IPA server?
>>>>
>>>> --
>>>> Petr^2 Spacek
>>>>
>>>>>> Do you see anything in the logs from such activity?

More information about the Freeipa-users mailing list