[Freeipa-users] LDAP access for user authentication?

Alexander Skwar alexanders.mailinglists+nospam at gmail.com
Wed May 18 13:13:58 UTC 2016 

Hello Rob

2016-05-12 0:06 GMT+02:00 Rob Crittenden <rcritten at redhat.com>:
>
> Alexander Skwar wrote:

>> The WAF would then send username and password to FreeIPA (using LDAP)
>> and would need to get back, whether the combination was good or not.
>>
>> Is that scenario doable with FreeIPA and LDAP? Would anyone maybe even
>> know of some good howtos or links? Any gotchas, that we'd need to be
>> aware of?
>
>
> Yes it's possible, see http://www.freeipa.org/page/HowTo/LDAP
>

I created the user uid=system as shown in the howto. But my appliance
is having issues (so to say). I'm getting errors like this one:

[…]
2016-05-18 14:55:35,003 +0200 ERROR [CC:Eoyfcf1mV9E$]
[RC:7f0100-4094-2016.05.18_1255.33.733-001] audit:writeLog() - [AUDIT]
[USER_AUTH_FAILED_TECH] user="ask" logmsg="Authentication failed due
to a technical problem. Reason: '[SYSTEM] [ERR_INTERNAL_STATE] Invalid
internal state! Reason:
'cn=users,cn=accounts,dc=hydrus,dc=intern at ldaps://192.168.94.147:636'
/ cn=users,cn=accounts,dc=hydrus,dc=intern at ldaps://192.168.94.147:636
/ javax.naming.AuthenticationNotSupportedException: [LDAP: error code
48 - Inappropriate Authentication]'"
2016-05-18 14:55:35,006 +0200 ERROR [CC:Eoyfcf1mV9E$]
[RC:7f0100-4094-2016.05.18_1255.33.733-001]
exception:logExceptionStackTrace() - [SYSTEM] [ERR_INTERNAL_STATE]
Invalid internal state! Reason:
'cn=users,cn=accounts,dc=hydrus,dc=intern at ldaps://192.168.94.147:636'
com.usp.sls.toolkit.error.SLSException: [SYSTEM] [ERR_INTERNAL_STATE]
Invalid internal state! Reason:
'cn=users,cn=accounts,dc=hydrus,dc=intern at ldaps://192.168.94.147:636'
    at com.usp.sls.ldap.adapter.LdapUtil.getSLSException(LdapUtil.java:410)
    at com.usp.sls.ldap.service.LDAPServiceWrapper.openContext(LDAPServiceWrapper.java:203)
[…]


Important parts here:

- [USER_AUTH_FAILED_TECH]
- javax.naming.AuthenticationNotSupportedException: [LDAP: error code
48 - Inappropriate Authentication]

I suppose, the "tech" user doesn't have the sufficient rights.

In the Howto, it says:

Note: IPA 4.0 is going to change the default stance on data from
nearly everything is readable to nothing is readable, by default. You
will eventually need to add some Access Control Instructions (ACI's)
to grant read access to the parts of the LDAP tree you will need.



What would be good ACIs to grant read access to
cn=users,cn=accounts,dc=hydrus,dc=intern to this uid=system user?

Thanks again,


Alexander
-- 
=>        Google+ => http://plus.skwar.me         <==
=> Chat (Jabber/Google Talk) => a.skwar at gmail.com <==

More information about the Freeipa-users mailing list