[Freeipa-users] LDAP access for user authentication?
Rob Crittenden
rcritten at redhat.com
Wed May 18 15:10:32 UTC 2016
Alexander Skwar wrote:
> Hello Rob
>
> 2016-05-18 16:21 GMT+02:00 Rob Crittenden <rcritten at redhat.com>:
>> Alexander Skwar wrote:
>>>
>>> Hello Rob
>>>
>>> 2016-05-12 0:06 GMT+02:00 Rob Crittenden <rcritten at redhat.com>:
>>>>
>>>>
>>>> Alexander Skwar wrote:
>
>>> Important parts here:
>>>
>>> - [USER_AUTH_FAILED_TECH]
>>> - javax.naming.AuthenticationNotSupportedException: [LDAP: error code
>>> 48 - Inappropriate Authentication]
>>>
>>> I suppose, the "tech" user doesn't have the sufficient rights.
>>
>>
>> Is your user "tech?" It doesn't appear to be though this logging leaves much
>> to be desired.
>
>
> Well, according to the howto, I created a user with "DN:
> uid=system,cn=sysaccounts,cn=etc,dc=hydrus,dc=intern". That's also
> what I configured as the „Technical user DN“ in my appliance (→
> uid=system,cn=sysaccounts,cn=etc,dc=hydrus,dc=intern).
>
> The password is correct. I double checked. On the IPA server, I can do:
>
> local at bbva-auth01-prod ~ % ldapsearch -x -D
> uid=system,cn=sysaccounts,cn=etc,dc=hydrus,dc=intern -W | head
> # extended LDIF
> #
> # LDAPv3
> # base <dc=hydrus,dc=intern> (default) with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # computers, compat, hydrus.intern
> dn: cn=computers,cn=compat,dc=hydrus,dc=intern
> …
>
>> LDAP err 48 means a bind was tried using a bad mechanism, like trying to do
>> a simple bind when stronger auth is required, for example. Or you try to
>> bind with a user that has no password.
>
> Thanks.
>
>> What is confusing to me is that the DN doesn't include uid=system, so it may
>> be a configuration error on your part.
>
> I bet that this will eventually be the reason :)
>
> Hmm… Yes, that's indeed confusing. Playing a bit with the appliance,
> it was indeed a configuration error on my part. The Bind DN was set
> wrong.
>
> After fixing this, everything is working :)
>
> Thanks a lot, that was indeed a helpful hint!
>
>
>>> What would be good ACIs to grant read access to
>>> cn=users,cn=accounts,dc=hydrus,dc=intern to this uid=system user?
>>
>>
>> This is not the problem.
>
> And that was also quite helpful. I was looking there, and thus in the
> wrong direction.
>
> Thanks again,
Cool, glad you got it working. If you wanted to share your experience in
the form of a HOWTO we can help make that happen.
rob
More information about the Freeipa-users
mailing list