[Freeipa-users] Original java script I ahave been TRYING to modify to use the flatness that is IPA.

[Petr Spacek]

On 15.8.2016 19:45, Michael Sean Conley wrote:
> 
> Hey gang, so this is the original file I was using to get us hooked in via
> LDAPS for the webpage.
> Note - it has OU's instead of CN's,
> 
> Anyway, I'm still at a loss.
> 
> What do you folks think?
> 
> 
>   <jaas:config name="karaf" rank="1">
>     <jaas:module
> className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule"
>                  flags="required">
>       initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
>       connection.username=cn=Directory Manager
>       connection.password=password
>       connection.url=ldaps://aba-ldap.aba.house.com:636
>       user.base.dn=ou=ApplicationUsers,ou=People,dc=aba,dc=house,dc=com
>       user.filter=(uid=%u)
>       user.search.subtree=true
>       role.base.dn=ou=JBoss,ou=Roles,dc=aba,dc=house,dc=com
>       role.name.attribute=cn
>       role.filter=
> (member=uid=%u,ou=ApplicationUsers,ou=People,dc=aba,dc=house,dc=com)
>       role.search.subtree=true
>       role.mapping=admin=group,admin,manager,viewer,webconsole
>       authentication=simple
>       ssl.protocol=SSL
>       ssl.truststore=truststore
>       ssl.algorithm=PKIX
>     </jaas:module>
>   </jaas:config>
> 
>   <jaas:keystore name="truststore"
>         path="file:${javax.net.ssl.trustStore}"
>         keystorePassword="${javax.net.ssl.trustStorePassword}" />
> 
> </blueprint>

Hi,

Rob already replied to your previous e-mail with probable cause:

>>        initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
>>        connection.username=cn=ddfusr
>>        connection.password=iloveaba!
>>        connection.url=ldaps://aba-idam.aba.house.com:636
>>        user.base.dn=cn=users,cn=accounts,dc=aba,dc=house,dc=com
>>        user.filter=(uid=%u)
>>        user.search.subtree=true
>>        role.base.dn=cn=JBoss,cn=users,cn=accounts,dc=aba,dc=house,dc=com
>>        role.name.attribute=cn
>>
>> role.filter=(member=uid=%u,cn=users,cn=accounts,dc=aba,dc=house,dc=com)
>>        role.search.subtree=true
>>        role.mapping=admin=group,admin,manager,viewer,webconsole
>>        authentication=simple
>>        ssl.protocol=SSL
>>        ssl.truststore=truststore
>>        ssl.algorithm=PKIX
>>      </jaas:module>
>>    </jaas:config>
>>
>> and I tried to log in with the ddfusr account and....
>>
>> Error 32.
>
> You're still using the wrong user to bind. There is no cn=ddfusr. At
> best there is a uid=ddfusr if the user.base is automatically added
> (which it probably isn't).
>
> It probably needs to be
> uid=ddfusr,cn=users,cn=accounts,dc=aba,dc=home,dc=com just like in the
> ldapsearch.
>
> rob

I would start with fixing connection.username so it points to an actual user
object in LDAP.

It is hard to advise something else because I'm not familiar with the
software. If you have some documentation for the LDAPLogin module I can have a
look but a quick google query did not turn up docs to me.

-- 
Petr^2 Spacek