[Freeipa-users] Deploying freeipa behind nginx
Sumit Bose
sbose at redhat.com
Wed Jan 29 08:11:56 UTC 2014
On Tue, Jan 28, 2014 at 02:29:07PM -0800, Steve Severance wrote:
> Hi Everyone,
>
> I have deployed freeipa inside our production network. I want to be able to
> access the web ui so I am attempting to add it to our nginx edge machine. I
> can pass the requests upstream just fine but I am unable to login using a
> username/password. I have enabled password authentication in the kerberos
> section of the freeipa httpd config file. In the logs it looks like the
> authentication succeeds and a ticket is issued. I assume that the cookie
> that is returned (ipa_session) has the authentication information in it.
> The subsequent call to get json data fails and I am prompted to login again.
>
> I found this thread (
> https://www.redhat.com/archives/freeipa-users/2013-August/msg00080.html)
> which has instructions on adding ipa.mydomain.com to the keytab. When I
> call ipa-getkeytab it hangs for a bit before returning: ldap_sasl_bind(SIMPLE):
> Can't contact LDAP server (-1)
>
> Digging into this if I run: ldapsearch -d 1 -v -H ldaps://ldap.mydomain.com
>
> I get:
> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
> additional info: SASL(-4): no mechanism available:
Does it work if you add the mechanism explicitly, e.g. 'ldapsearch -Y
GSSAPI ....' ?
bye,
Sumit
>
> So we seem to have a SASL problem. If I run ldapsearch with -x simple
> authentication works just fine.
>
> Do I need to do something special to enable SASL so I can get the keytab?
> The ipa-getkeytab command does not seem to have an option to use simple
> authentication.
>
> Thanks.
>
> Steve
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list