[Freeipa-users] LDAP access for user authentication?

Alexander Skwar alexanders.mailinglists+nospam at gmail.com
Wed May 18 15:03:55 UTC 2016 

Hello Rob

2016-05-18 16:21 GMT+02:00 Rob Crittenden <rcritten at redhat.com>:
> Alexander Skwar wrote:
>>
>> Hello Rob
>>
>> 2016-05-12 0:06 GMT+02:00 Rob Crittenden <rcritten at redhat.com>:
>>>
>>>
>>> Alexander Skwar wrote:

>> Important parts here:
>>
>> - [USER_AUTH_FAILED_TECH]
>> - javax.naming.AuthenticationNotSupportedException: [LDAP: error code
>> 48 - Inappropriate Authentication]
>>
>> I suppose, the "tech" user doesn't have the sufficient rights.
>
>
> Is your user "tech?" It doesn't appear to be though this logging leaves much
> to be desired.


Well, according to the howto, I created a user with "DN:
uid=system,cn=sysaccounts,cn=etc,dc=hydrus,dc=intern". That's also
what I configured as the „Technical user DN“ in my appliance (→
uid=system,cn=sysaccounts,cn=etc,dc=hydrus,dc=intern).

The password is correct. I double checked. On the IPA server, I can do:

local at bbva-auth01-prod ~ % ldapsearch -x -D
uid=system,cn=sysaccounts,cn=etc,dc=hydrus,dc=intern -W | head
# extended LDIF
#
# LDAPv3
# base <dc=hydrus,dc=intern> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# computers, compat, hydrus.intern
dn: cn=computers,cn=compat,dc=hydrus,dc=intern
…

> LDAP err 48 means a bind was tried using a bad mechanism, like trying to do
> a simple bind when stronger auth is required, for example. Or you try to
> bind with a user that has no password.

Thanks.

> What is confusing to me is that the DN doesn't include uid=system, so it may
> be a configuration error on your part.

I bet that this will eventually be the reason :)

Hmm… Yes, that's indeed confusing. Playing a bit with the appliance,
it was indeed a configuration error on my part. The Bind DN was set
wrong.

After fixing this, everything is working :)

Thanks a lot, that was indeed a helpful hint!


>> What would be good ACIs to grant read access to
>> cn=users,cn=accounts,dc=hydrus,dc=intern to this uid=system user?
>
>
> This is not the problem.

And that was also quite helpful. I was looking there, and thus in the
wrong direction.

Thanks again,


Alexander
-- 
=>        Google+ => http://plus.skwar.me         <==
=> Chat (Jabber/Google Talk) => a.skwar at gmail.com <==

More information about the Freeipa-users mailing list