[Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications

[Martin Kosek]

On 09/12/2013 01:46 PM, Thomas Raehalme wrote:
> Hi,
> 
> Previously we have used Atlassian Crowd as a source for user data in
> various applications, both in-house built and proprietary such as JIRA
> or Confluence. As we have deployed FreeIPA, I would like to start
> using it as the identity source. Unfortunately using Kerberos is not
> always possible so I am thinking about LDAP which often is an option
> in 3rd party applicaitons.
> 
> Anonymous access to the FreeIPA LDAP is enabled by default. Is it
> possible to configure username/password to access the information?
> Currently vSphere has a problem with anonymous access to LDAP not
> working as intended. Ofcourse it would be nice to be able to restrict
> access anyways.
> 
> If using FreeIPA LDAP as the identity source, how should
> authentication be handled? Is it possible to read the hash code for
> passwords? Is it possible to authenticate against the LDAP service?
> 
> Any advice appreciated!
> 
> Best regards,
> Thomas
> 

When using FreeIPA LDAP as identity source, you could ideally use
Kerberos/GSSAPI authentication. But if that is not available, you can use
simple LDAP binds too. You cannot read the hash codes unless you are
"cn=Directory Manager" (or unless you set ACI allowing that, but this is very
unsecure).

If you do not want to access the LDAP anonymously and you do not want to use a
full IPA user for that (added via "ipa user-add"), you can manually add a
system user and use that for binding to LDAP:

# ldapadd -h `hostname` -D "cn=Directory Manager" -x -w kokos123
dn: uid=vsphere,cn=sysaccounts,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
objectClass: account
objectClass: simplesecurityobject
objectClass: top
uid: vsphere
userPassword: SuperSecretPassword

adding new entry
"uid=vsphere,cn=sysaccounts,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com"

HTH,
Martin