[Freeipa-users] FreeIPA and PWM

Wed Apr 20 15:39:35 UTC 2016

On Wed, 20 Apr 2016, Tiemen Ruiten wrote:
>Hello,
>
>I'm trying to set up a self-service page for a new IPA domain and I'm
>trying to use PWM for that.
>
>When I try to bind to FreeIPA from within PWM, with the configured "LDAP
>Proxy User", I get the following error:
>
>error connecting to ldap server 'ldaps://polonium.ipa.rdmedia.com:636':
>unable to create connection: unable to bind to ldaps://
>polonium.ipa.rdmedia.com:636 as
>cn=svcpwmproxy,cn=groups,cn=accounts,dc=ipa,dc=rdmedia,dc=com reason:
>[LDAP: error code 48 - Inappropriate Authentication]
You are trying to bind as a group, not as a user. Group has no
passwords.

You need to have a user object or just a sysaccount to bind to LDAP.
See http://www.freeipa.org/page/HowTo/LDAP#System_Accounts for
sysaccounts.

>
>In /var/log/krb5kdc.log I see:
>
>Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): AS_REQ (6
>etypes {18 17 16 23 25 26}) 192.168.50.33: NEEDED_PREAUTH: host/
>protactinium.ipa.rdmedia.com at IPA.RDMEDIA.COM for krbtgt/
>IPA.RDMEDIA.COM at IPA.RDMEDIA.COM, Additional pre-authentication required
>Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): closing down
>fd 12
>Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): AS_REQ (6
>etypes {18 17 16 23 25 26}) 192.168.50.33: ISSUE: authtime 1461165149,
>etypes {rep=18 tkt=18 ses=18}, host/
>protactinium.ipa.rdmedia.com at IPA.RDMEDIA.COM for krbtgt/
>IPA.RDMEDIA.COM at IPA.RDMEDIA.COM
>Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): closing down
>fd 12
>Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): TGS_REQ (6
>etypes {18 17 16 23 25 26}) 192.168.50.33: ISSUE: authtime 1461165149,
>etypes {rep=18 tkt=18 ses=18}, host/
>protactinium.ipa.rdmedia.com at IPA.RDMEDIA.COM for ldap/
>polonium.ipa.rdmedia.com at IPA.RDMEDIA.COM
>Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): closing down
>fd 12
Kerberos is completely unrelated here.

>
>What is going on? What can I do to debug this more?
>
>
>-- 
>Tiemen Ruiten
>Systems Engineer
>R&D Media

>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project

-- 
/ Alexander Bokovoy