[Freeipa-users] Question for AD trust and Webservices

Sumit Bose sbose at redhat.com
Wed Jun 17 08:35:57 UTC 2015 

On Wed, Jun 17, 2015 at 08:21:22AM +0000, Henry Hofmann wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> > It should be possible, yes - if you target web service/Red Mine to the compat tree, as it was done for example in this integration:
> >
> > http://www.freeipa.org/page/HowTo/vsphere5_integration
> Tanks, your expression is very helpful for nested group memberships.
> 
> But maybe I expressed myself wrong. We need to logon with an user from Active Directory (like henry) over an Trust with the IPA Domain. But in the IPA domain there aren't a user named henry. Only a reference in the group "ipaExternalMember=S-1-5-21-969530201-4059800132-1833743323-1235" to the user.

The user can be looked up in the compat tree, e.g.

ldapsearch -x -b 'cn=compat,dc=ipa,dc=domain' 'uid=henry at ad.domain'

HTH

bye,
Sumit

> 
> >
> > BTW, if Redmine is run by Apache, you can also leverage native Web<->SSSD<->FreeIPA/AD integration, following
> Our Redmine is running with an ruby webserver based on lock files and in the front we used an nginx webproxy.
> 
> > http://www.freeipa.org/page/Web_App_Authentication
> >
> > Martin
> 
> 
> >> I understand this is for application which is using Kerberos.
> > No, it is not only for that.
> 
> >> I have some web applications like "redmine" and "owncloud" which have a 
> >> own user management. They needs to be configure to LDAP to grant 
> >> authorizations without Kerberos. And not all of them used apache or 
> >> tomcat as application server.
> > For OwnCloud use
> > https://apps.owncloud.com/content/show.php/Unix+user+backend?content=148406
> > and read a backstory in https://github.com/owncloud/core/issues/10130
> >
> > For redmine use http://www.redmine.org/plugins/redmine_pam_auth. You don't need to include the user which runs redmine into shadow group with FreeIPA because user accounts are never in > /etc/shadow for FreeIPA so you don't need that access.
> >
> What you mean with " You don't need to include the user which runs Redmine into shadow group with FreeIPA because user accounts are never in > /etc/shadow for FreeIPA so you don't need that access ".
> Normally we create users and groups in FreeIPA, add the users to the groups. Currently we sync the user and groups to Redmine and grant the permission roles (Developer or Manager) to the groups. In this scenario I can manage remotely the grants for user in every webserver that we used.
> 
> > Both these methods rely on PAM authentication which is powered by SSSD.
> >
> > --
> > / Alexander Bokovoy
> 
> Thanks for your help.
> Henry
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Universal 3.1.0 (Build 860)
> Charset: us-ascii
> 
> wsBVAwUBVYEuBHEu+nQzo7NUAQhF5ggAhRRwwTW2XkV4wqe3Q4IAbLFvux8KrVpC
> MZ5qovGeyY5N9Fk/MunfC0eg2J2t7KGU9bdJEuWNIZtxH8tLZudRIQL7DMrUs0hF
> yNoCIfa0PgMNhS7OFGMtlpF76YBsA50xP9Qhd8hXOsGMnqaaaZ54psUCO4fOSiLB
> RGFXaFIs6u1odq93DRImVGvy2mBN1MPC+cG1fQHZN089OZ7aFQunNTIWeGptmTX8
> CjspbonsB1HZzN7vRDLs2RKGLm+7f8gv4MZHN1gBFLzTjAAZ1ke2+vOM+e+QmHXL
> GHCx9yPr3C9GvB89cN5tssD/F32Pixa0UzENYAk7CHqQE7cKRpNAOw==
> =jfYn
> -----END PGP SIGNATURE-----
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list