[Freeipa-users] Question for AD trust and Webservices

Wed Jun 17 11:58:46 UTC 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> > > It should be possible, yes - if you target web service/Red Mine to the compat tree, as it was done for example in this integration:
> >
> > > http://www.freeipa.org/page/HowTo/vsphere5_integration
> > Tanks, your expression is very helpful for nested group memberships.
> 
> But maybe I expressed myself wrong. We need to logon with an user from Active Directory (like henry) over an Trust with the IPA Domain. But in the IPA domain there aren't a user named henry. Only a > > reference in the group "ipaExternalMember=S-1-5-21-969530201-4059800132-1833743323-1235" to the user.
>
> The user can be looked up in the compat tree, e.g.
>
> ldapsearch -x -b 'cn=compat,dc=ipa,dc=domain' 'uid=henry at ad.domain'
>
> HTH
>
> bye,
> Sumit

Thanks, I get more and more information and amazed about FreeIPA and functionally.
I can successfully login in Redmine and Cloud with users from the trust domain. 

I have add additional attributes for the user accounts like "mail" etc. For the external trust user is this not possible. How I can get these additional information's for the trust users?

Best regards,
Henry

- -----Original Message-----
From: Sumit Bose [mailto:sbose at redhat.com] 
Sent: Mittwoch, 17. Juni 2015 10:36
To: Henry Hofmann
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Question for AD trust and Webservices

On Wed, Jun 17, 2015 at 08:21:22AM +0000, Henry Hofmann wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> > It should be possible, yes - if you target web service/Red Mine to the compat tree, as it was done for example in this integration:
> >
> > http://www.freeipa.org/page/HowTo/vsphere5_integration
> Tanks, your expression is very helpful for nested group memberships.
> 
> But maybe I expressed myself wrong. We need to logon with an user from Active Directory (like henry) over an Trust with the IPA Domain. But in the IPA domain there aren't a user named henry. Only a reference in the group "ipaExternalMember=S-1-5-21-969530201-4059800132-1833743323-1235" to the user.

The user can be looked up in the compat tree, e.g.

ldapsearch -x -b 'cn=compat,dc=ipa,dc=domain' 'uid=henry at ad.domain'

HTH

bye,
Sumit

> 
> >
> > BTW, if Redmine is run by Apache, you can also leverage native 
> > Web<->SSSD<->FreeIPA/AD integration, following
> Our Redmine is running with an ruby webserver based on lock files and in the front we used an nginx webproxy.
> 
> > http://www.freeipa.org/page/Web_App_Authentication
> >
> > Martin
> 
> 
> >> I understand this is for application which is using Kerberos.
> > No, it is not only for that.
> 
> >> I have some web applications like "redmine" and "owncloud" which 
> >> have a own user management. They needs to be configure to LDAP to 
> >> grant authorizations without Kerberos. And not all of them used 
> >> apache or tomcat as application server.
> > For OwnCloud use
> > https://apps.owncloud.com/content/show.php/Unix+user+backend?content
> > =148406 and read a backstory in 
> > https://github.com/owncloud/core/issues/10130
> >
> > For redmine use http://www.redmine.org/plugins/redmine_pam_auth. You don't need to include the user which runs redmine into shadow group with FreeIPA because user accounts are never in > /etc/shadow for FreeIPA so you don't need that access.
> >
> What you mean with " You don't need to include the user which runs Redmine into shadow group with FreeIPA because user accounts are never in > /etc/shadow for FreeIPA so you don't need that access ".
> Normally we create users and groups in FreeIPA, add the users to the groups. Currently we sync the user and groups to Redmine and grant the permission roles (Developer or Manager) to the groups. In this scenario I can manage remotely the grants for user in every webserver that we used.
> 
> > Both these methods rely on PAM authentication which is powered by SSSD.
> >
> > --
> > / Alexander Bokovoy
> 
> Thanks for your help.
> Henry

-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.1.0 (Build 860)
Charset: us-ascii

wsBVAwUBVYFg+XEu+nQzo7NUAQgvZAgAwDtapg070WOR7qCozzEqjpBAxLyLATN9
0n5RD/TWa95BCUoX8FWMXEaywMrEuY7AGgRu9Rvr+vDZFWMzpEa6VP16G7TupOfe
nPVgcA6UqP/KqrfES+PqUwIMYxU0f0oTXEPY5u9dO54EN/1mGlijW9ddAj+e3SKq
VmFHUUim4dqjIR7lFg0ARMdo/O9x4l4Rlu6SrOzrTHFCi2zhEvU6JBaO2zktjQ0Z
+kyOXSpKLlX9sOm9oBGpWgrX66847gqmVsIrM7hsIFvWWJvYGosTOGdWAKq6yHZv
JBZysmv19rU/NMR9GU/4cybL9LeMOPcD4cR8cXKAf/AIbGiMZV9FlQ==
=rakA
-----END PGP SIGNATURE-----