[Freeipa-users] FreeIPA and PWM
Tiemen Ruiten
t.ruiten at rdmedia.com
Wed Apr 20 17:44:06 UTC 2016
Thanks Alexander, that got my past that error.
I created the sysaccount and I can bind successfully, but in accordance
with the documentation, it doesn't have rights to modify other users:
Unexpected error while testing ldap test user LDAP ⇨ LDAP Directories ⇨
default ⇨ LDAP Test User, error: javax.naming.NoPermissionException: [LDAP:
error code 50 - Insufficient 'write' privilege to the 'userPassword'
attribute of entry
'uid=test.user,cn=users,cn=accounts,dc=ipa,dc=rdmedia,dc=com'. ]
This LDAP Proxy User will try to do the following things to the LDAP Test
User:
"The following functionality (if enabled) will be tested using the test
user account.
Authentication
Password policy reading
Set password
Set challenge/responses
Load challenge/responses"
What is best practice here, should I grant more privileges to the
sysaccount (how?), or should I create a 'regular' user in the UI/through
the ipa cli and grant the necessary roles there?
On 20 April 2016 at 17:39, Alexander Bokovoy <abokovoy at redhat.com> wrote:
> On Wed, 20 Apr 2016, Tiemen Ruiten wrote:
>
>> Hello,
>>
>> I'm trying to set up a self-service page for a new IPA domain and I'm
>> trying to use PWM for that.
>>
>> When I try to bind to FreeIPA from within PWM, with the configured "LDAP
>> Proxy User", I get the following error:
>>
>> error connecting to ldap server 'ldaps://polonium.ipa.rdmedia.com:636':
>> unable to create connection: unable to bind to ldaps://
>> polonium.ipa.rdmedia.com:636 as
>> cn=svcpwmproxy,cn=groups,cn=accounts,dc=ipa,dc=rdmedia,dc=com reason:
>> [LDAP: error code 48 - Inappropriate Authentication]
>>
> You are trying to bind as a group, not as a user. Group has no
> passwords.
>
> You need to have a user object or just a sysaccount to bind to LDAP.
> See http://www.freeipa.org/page/HowTo/LDAP#System_Accounts for
> sysaccounts.
>
>
>> In /var/log/krb5kdc.log I see:
>>
>> Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): AS_REQ (6
>> etypes {18 17 16 23 25 26}) 192.168.50.33: NEEDED_PREAUTH: host/
>> protactinium.ipa.rdmedia.com at IPA.RDMEDIA.COM for krbtgt/
>> IPA.RDMEDIA.COM at IPA.RDMEDIA.COM, Additional pre-authentication required
>> Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): closing
>> down
>> fd 12
>> Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): AS_REQ (6
>> etypes {18 17 16 23 25 26}) 192.168.50.33: ISSUE: authtime 1461165149,
>> etypes {rep=18 tkt=18 ses=18}, host/
>> protactinium.ipa.rdmedia.com at IPA.RDMEDIA.COM for krbtgt/
>> IPA.RDMEDIA.COM at IPA.RDMEDIA.COM
>> Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): closing
>> down
>> fd 12
>> Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): TGS_REQ (6
>> etypes {18 17 16 23 25 26}) 192.168.50.33: ISSUE: authtime 1461165149,
>> etypes {rep=18 tkt=18 ses=18}, host/
>> protactinium.ipa.rdmedia.com at IPA.RDMEDIA.COM for ldap/
>> polonium.ipa.rdmedia.com at IPA.RDMEDIA.COM
>> Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): closing
>> down
>> fd 12
>>
> Kerberos is completely unrelated here.
>
>
>
>> What is going on? What can I do to debug this more?
>>
>>
>> --
>> Tiemen Ruiten
>> Systems Engineer
>> R&D Media
>>
>
> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
> --
> / Alexander Bokovoy
>
--
Tiemen Ruiten
Systems Engineer
R&D Media
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160420/867bf9ae/attachment.htm>
More information about the Freeipa-users
mailing list