[Freeipa-users] ldaps Java script issues with RH IdM - odd that I cannot make it connect...
Rob Crittenden
rcritten at redhat.com
Fri Aug 12 21:13:19 UTC 2016
Michael Sean Conley wrote:
> UID binding - I believe - from what I saw in the script.
>
>
> I ran the nifty search... First on user "binding"...
>
> Got an error 32.
>
> tried it with ddfusr
>
> # ldapsearch -Z -H ldap://aba-idam.aba.home.com -D
> 'uid=ddfusr,cn=users,cn=accounts,dc=aba,dc=home,dc=com' -W -b
> 'cn=users,cn=accounts,dc=aba,dc=home,dc=com' '(uid=ddfusr)' cn
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <cn=users,cn=accounts,dc=aba,dc=home,dc=com> with scope subtree
> # filter: (uid=ddfusr)
> # requesting: cn
> #
>
> # ddfusr, users, accounts, aba.home.com
> dn: uid=ddfusr,cn=users,cn=accounts,dc=aba,dc=home,dc=com
> cn: ddf user
>
> # search result
> search: 3
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
> Fabulous.
>
> So, I then checked the java xml file...
>
> <jaas:config name="karaf" rank="1">
> <jaas:module
> className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule"
> flags="required">
> initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
> connection.username=cn=ddfusr
> connection.password=iloveaba!
> connection.url=ldaps://aba-idam.aba.house.com:636
> user.base.dn=cn=users,cn=accounts,dc=aba,dc=house,dc=com
> user.filter=(uid=%u)
> user.search.subtree=true
> role.base.dn=cn=JBoss,cn=users,cn=accounts,dc=aba,dc=house,dc=com
> role.name.attribute=cn
>
> role.filter=(member=uid=%u,cn=users,cn=accounts,dc=aba,dc=house,dc=com)
> role.search.subtree=true
> role.mapping=admin=group,admin,manager,viewer,webconsole
> authentication=simple
> ssl.protocol=SSL
> ssl.truststore=truststore
> ssl.algorithm=PKIX
> </jaas:module>
> </jaas:config>
>
> and I tried to log in with the ddfusr account and....
>
> Error 32.
You're still using the wrong user to bind. There is no cn=ddfusr. At
best there is a uid=ddfusr if the user.base is automatically added
(which it probably isn't).
It probably needs to be
uid=ddfusr,cn=users,cn=accounts,dc=aba,dc=home,dc=com just like in the
ldapsearch.
rob
More information about the Freeipa-users
mailing list