[Freeipa-users] Deploying freeipa behind nginx
Steve Severance
steve at altosresearch.com
Tue Jan 28 22:29:07 UTC 2014
Hi Everyone,
I have deployed freeipa inside our production network. I want to be able to
access the web ui so I am attempting to add it to our nginx edge machine. I
can pass the requests upstream just fine but I am unable to login using a
username/password. I have enabled password authentication in the kerberos
section of the freeipa httpd config file. In the logs it looks like the
authentication succeeds and a ticket is issued. I assume that the cookie
that is returned (ipa_session) has the authentication information in it.
The subsequent call to get json data fails and I am prompted to login again.
I found this thread (
https://www.redhat.com/archives/freeipa-users/2013-August/msg00080.html)
which has instructions on adding ipa.mydomain.com to the keytab. When I
call ipa-getkeytab it hangs for a bit before returning: ldap_sasl_bind(SIMPLE):
Can't contact LDAP server (-1)
Digging into this if I run: ldapsearch -d 1 -v -H ldaps://ldap.mydomain.com
I get:
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:
So we seem to have a SASL problem. If I run ldapsearch with -x simple
authentication works just fine.
Do I need to do something special to enable SASL so I can get the keytab?
The ipa-getkeytab command does not seem to have an option to use simple
authentication.
Thanks.
Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140128/82145a3d/attachment.htm>
More information about the Freeipa-users
mailing list