[Freeipa-users] LDAP access for user authentication?

Rob Crittenden rcritten at redhat.com
Wed May 18 14:21:46 UTC 2016 

Alexander Skwar wrote:
> Hello Rob
>
> 2016-05-12 0:06 GMT+02:00 Rob Crittenden <rcritten at redhat.com>:
>>
>> Alexander Skwar wrote:
>
>>> The WAF would then send username and password to FreeIPA (using LDAP)
>>> and would need to get back, whether the combination was good or not.
>>>
>>> Is that scenario doable with FreeIPA and LDAP? Would anyone maybe even
>>> know of some good howtos or links? Any gotchas, that we'd need to be
>>> aware of?
>>
>>
>> Yes it's possible, see http://www.freeipa.org/page/HowTo/LDAP
>>
>
> I created the user uid=system as shown in the howto. But my appliance
> is having issues (so to say). I'm getting errors like this one:
>
> […]
> 2016-05-18 14:55:35,003 +0200 ERROR [CC:Eoyfcf1mV9E$]
> [RC:7f0100-4094-2016.05.18_1255.33.733-001] audit:writeLog() - [AUDIT]
> [USER_AUTH_FAILED_TECH] user="ask" logmsg="Authentication failed due
> to a technical problem. Reason: '[SYSTEM] [ERR_INTERNAL_STATE] Invalid
> internal state! Reason:
> 'cn=users,cn=accounts,dc=hydrus,dc=intern at ldaps://192.168.94.147:636'
> / cn=users,cn=accounts,dc=hydrus,dc=intern at ldaps://192.168.94.147:636
> / javax.naming.AuthenticationNotSupportedException: [LDAP: error code
> 48 - Inappropriate Authentication]'"
> 2016-05-18 14:55:35,006 +0200 ERROR [CC:Eoyfcf1mV9E$]
> [RC:7f0100-4094-2016.05.18_1255.33.733-001]
> exception:logExceptionStackTrace() - [SYSTEM] [ERR_INTERNAL_STATE]
> Invalid internal state! Reason:
> 'cn=users,cn=accounts,dc=hydrus,dc=intern at ldaps://192.168.94.147:636'
> com.usp.sls.toolkit.error.SLSException: [SYSTEM] [ERR_INTERNAL_STATE]
> Invalid internal state! Reason:
> 'cn=users,cn=accounts,dc=hydrus,dc=intern at ldaps://192.168.94.147:636'
>      at com.usp.sls.ldap.adapter.LdapUtil.getSLSException(LdapUtil.java:410)
>      at com.usp.sls.ldap.service.LDAPServiceWrapper.openContext(LDAPServiceWrapper.java:203)
> […]
>
>
> Important parts here:
>
> - [USER_AUTH_FAILED_TECH]
> - javax.naming.AuthenticationNotSupportedException: [LDAP: error code
> 48 - Inappropriate Authentication]
>
> I suppose, the "tech" user doesn't have the sufficient rights.

Is your user "tech?" It doesn't appear to be though this logging leaves 
much to be desired.

LDAP err 48 means a bind was tried using a bad mechanism, like trying to 
do a simple bind when stronger auth is required, for example. Or you try 
to bind with a user that has no password.

What is confusing to me is that the DN doesn't include uid=system, so it 
may be a configuration error on your part.

>
> In the Howto, it says:
>
> Note: IPA 4.0 is going to change the default stance on data from
> nearly everything is readable to nothing is readable, by default. You
> will eventually need to add some Access Control Instructions (ACI's)
> to grant read access to the parts of the LDAP tree you will need.
>
>
>
> What would be good ACIs to grant read access to
> cn=users,cn=accounts,dc=hydrus,dc=intern to this uid=system user?

This is not the problem.

rob

>
> Thanks again,
>
>
> Alexander
>

More information about the Freeipa-users mailing list