[Freeipa-users] creating an LDAP bind user
Chris Herdt
cherdt at umn.edu
Wed Apr 26 19:01:48 UTC 2017
I am setting up LDAP authentication with a remote service. On
https://www.freeipa.org/page/HowTo/LDAP it says the following:
"Do not use the Directory Manager account to authenticate remote
services to the IPA LDAP server. Use a system account, created like
this:"
I followed the steps there to create an entry under sysaccounts, and
confirmed it is there using ldapsearch:
ldapsearch -D 'cn=Directory Manager' -W -H ldap://ipa01.example.com -x
uid=remoteu
# remoteu, sysaccounts, etc, example.com
dn: uid=remoteu,cn=sysaccounts,cn=etc,dc=example,dc=com
objectClass: account
objectClass: simplesecurityobject
objectClass: top
uid: remoteu
userPassword:: [hash value]
This new user is unable to run LDAP searches though:
ldapsearch -D 'cn=remoteu' -W -H ldap://ipa01.example.com -x uid=remoteu
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
The new user is also unable to authenticate the remote service. (The
Directory Manager user is able to authenticate the remote service,
although as pointed out above, that's not a good idea.)
The How-To LDAP page also notes:
"IPA 4.0 is going to change the default stance on data from nearly
everything is readable to nothing is readable, by default. You will
eventually need to add some Access Control Instructions (ACI's) to
grant read access to the parts of the LDAP tree you will need."
I'm not sure if that's part of the issue or not. I'm using IPA version
4.4.0. Thanks in advance for any suggestions.
More information about the Freeipa-users
mailing list