[Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications
Martin Kosek
mkosek at redhat.com
Thu Sep 12 13:33:35 UTC 2013
On 09/12/2013 03:18 PM, Thomas Raehalme wrote:
> Hi!
>
> On Thu, Sep 12, 2013 at 4:06 PM, Martin Kosek <mkosek at redhat.com> wrote:
>> I was just referring to fact, that when a system or application uses LDAP as an
>> identity and authentication source, it often use simple LDAP Bind operation
>> (i.e. accessing LDAP with user+password or) when testing if the user accessing
>> the application provided the right credentials.
>
> Yes, that's true at least for some applications. Does the LDAP in
> FreeIPA allow that kind of login by default for IPA users? If not, is
> it possible to enable it somehow?
>
> Best regards,
> Thomas Raehalme
Well, LDAP is the data backend for all FreeIPA identity data, you can certainly
use plain LDAP binds with them (though Kerberos/GSSAPI auth is preferred).
See an example when I add a new IPA user and do LDAP bind with his credentials:
# ipa user-add --first=John --last=Doe jdoe --random
-----------------
Added user "jdoe"
-----------------
User login: jdoe
First name: John
Last name: Doe
Full name: John Doe
Display name: John Doe
Initials: JD
Home directory: /home/jdoe
GECOS: John Doe
Login shell: /bin/sh
Kerberos principal: jdoe at EXAMPLE.COM
Email address: jdoe at example.com
Random password: xO3xs5yOv,dL
UID: 470000066
GID: 470000066
Password: True
Member of groups: ipausers
Kerberos keys available: True
# ldapsearch -h `hostname` -D "uid=jdoe,cn=users,cn=accounts,dc=example,dc=com"
-x -w xO3xs5yOv,dL -b "" -s base
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
#
dn:
objectClass: top
...
Martin
More information about the Freeipa-users
mailing list