[Freeipa-users] Deploying freeipa behind nginx

Steve Severance steve at altosresearch.com
Fri Jan 31 22:10:25 UTC 2014 

Hi Dmitri,

I am using Free Ipa 3.1.5 on Fedora 18. The design basically looks like the
following. All of this is hosted at AWS in our VPC. The nginx
 box is on a web addressable subnet while the FreeIPA box is on a private
subnet that is not internet accessible. My goal is to be able to use the
web UI from our office without having to invest in a hardware VPN
connection. So nginx basically just acts as a reverse proxy and created the
connection on the users behalf to the ipa server. I can login into other
machines I have both in our private data center and in AWS using ipa and
that works great as far as I can tell.

Any more information I can supply? Thanks.

Steve

On Wed, Jan 29, 2014 at 4:18 AM, Dmitri Pal <dpal at redhat.com> wrote:

>  On 01/28/2014 05:29 PM, Steve Severance wrote:
>
> Hi Everyone,
>
>  I have deployed freeipa inside our production network. I want to be able
> to access the web ui so I am attempting to add it to our nginx edge
> machine. I can pass the requests upstream just fine but I am unable to
> login using a username/password. I have enabled password authentication in
> the kerberos section of the freeipa httpd config file. In the logs it looks
> like the authentication succeeds and a ticket is issued. I assume that the
> cookie that is returned (ipa_session) has the authentication information in
> it. The subsequent call to get json data fails and I am prompted to login
> again.
>
>  I found this thread (
> https://www.redhat.com/archives/freeipa-users/2013-August/msg00080.html)
> which has instructions on adding ipa.mydomain.com to the keytab. When I
> call ipa-getkeytab it hangs for a bit before returning: ldap_sasl_bind(SIMPLE):
> Can't contact LDAP server (-1)
>
>  Digging into this if I run: ldapsearch -d 1 -v -H ldaps://
> ldap.mydomain.com
>
>  I get:
> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
>          additional info: SASL(-4): no mechanism available:
>
>  So we seem to have a SASL problem. If I run ldapsearch with -x simple
> authentication works just fine.
>
>  Do I need to do something special to enable SASL so I can get the
> keytab? The ipa-getkeytab command does not seem to have an option to use
> simple authentication.
>
>  Thanks.
>
>  Steve
>
>
>
> To be able to help a small diagram would be really helpful.
> The error above indicates that there is an entity that tries to connect to
> the LDAP using Kerberos GSSAPI and can't because it either does not have
> kerberos identity or keys or it is misconfigured and can't get to them. The
> diagram of request flow would help to troubleshoot the issue.
>
> What version of FreeIPA you are using? What platform?
>
>  _______________________________________________
> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140131/01fba662/attachment.htm>

More information about the Freeipa-users mailing list