[Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications

Dan dan at descript.co.uk
Tue Mar 17 17:45:44 UTC 2015 

Thomas Raehalme <thomas.raehalme at ...> writes:

> 
> Hi,
> 
> Previously we have used Atlassian Crowd as a source for user data in
> various applications, both in-house built and proprietary such as JIRA
> or Confluence. As we have deployed FreeIPA, I would like to start
> using it as the identity source. Unfortunately using Kerberos is not
> always possible so I am thinking about LDAP which often is an option
> in 3rd party applicaitons.
> 
> Anonymous access to the FreeIPA LDAP is enabled by default. Is it
> possible to configure username/password to access the information?
> Currently vSphere has a problem with anonymous access to LDAP not
> working as intended. Ofcourse it would be nice to be able to restrict
> access anyways.
> 
> If using FreeIPA LDAP as the identity source, how should
> authentication be handled? Is it possible to read the hash code for
> passwords? Is it possible to authenticate against the LDAP service?
> 
> Any advice appreciated!
> 
> Best regards,
> Thomas


Hi,

I have just successfully configured confluence and jira to use FreeIPA for 
its LDAP user directory.

First, create an IPA user group for confluence-users and jira-users using 
the IPA dashboard. Then add a user to both of these groups.

If you navigate to the confluence and jira dashboards and then in the "User 
Directories" settings menu add a "Generic Directory Server" and then use the 
following settings...

Base DN: You can find this in your IPA config.
Additional User DN: cn=users,cn=accounts
Additional Group DN: cn=groups,cn=accounts
LDAP Permissions: Read Only

Advanced Settings - Defaults are fine for this section

User Schema Settings	
User Object Class:	        inetorgperson
User Object Filter:	        (objectclass=inetorgperson)
User Name Attribute:	        uid
User Name RDN Attribute:	uid
User First Name Attribute:	givenName
User Last Name Attribute:	sn
User Display Name Attribute:	displayName
User Email Attribute:	        mail
User Password Attribute:	userPassword
User Password Encryption:	SHA
User Unique ID Attribute:	ipaUniqueID

Group Schema Settings		
Group Object Class	ipausergroup
Group Object Filter	(objectclass=ipausergroup)
Group Name Attribute	cn
Group Description	description

Membership Schema Settings	
Group Members Attribute: member
User Membership Attribute: member (This is not used due to the next option)
User the User Membership Attribute: (Ensure this is unchecked, it is not 
supported)

Now save and test using the user who is in the groups created above.

Hope this helps someone.

Dan

More information about the Freeipa-users mailing list