<div dir="ltr">On 12 April 2013 23:59, Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div class="im">
<div>On 04/11/2013 11:58 PM, Peter Brown
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">On 12 April 2013 15:51, Simon Williams <span dir="ltr"><<a href="mailto:simon.williams@thehelpfulcat.com" target="_blank">simon.williams@thehelpfulcat.com</a>></span>
wrote:<br>
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<p dir="ltr">I use Atlassian products, but use Crowd to
provide single signon. This means that Crowd is the only
application that needs to authenticate against LDAP. I
found that I had to tell Crowd that the server was 389
DS. I could not get it to work set to OpenLDAP.</p>
</blockquote>
<div><br>
</div>
<div>I had a look at crowd but it seemed like overkill when
I could just point everything at FreeIPA.<br>
</div>
<div>We are a small shop so the extra queries weren't going
to affect much.<br>
</div>
<div>I tried telling my Atlaassian apps that freeipa was a
389 ds server but it refused to work properly.<br>
</div>
</div>
</div>
</div>
</blockquote>
<br></div>
Not sure what that means, exactly. Check the 389 access logs to see
what operations Atlassian is performing against 389.</div></blockquote><div><br></div><div>I don't remember the exact error and they get used every day and they work as is so I will have to wait for an update to switch it over to see what errors it produces.<br>
<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><div><div class="h5"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>Slightly strange considering the ldap modules for all
of them are the same as the one used in crowd.<br>
</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<p dir="ltr">Regards</p>
<span><font color="#888888">
<p dir="ltr">Simon</p>
</font></span>
<div>
<div>
<div class="gmail_quote">On 11 Apr 2013 23:36, "Peter
Brown" <<a href="mailto:rendhalver@gmail.com" target="_blank">rendhalver@gmail.com</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">On 12 April 2013 05:04, John Dennis
<span dir="ltr"><<a href="mailto:jdennis@redhat.com" target="_blank">jdennis@redhat.com</a>></span>
wrote:<br>
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>On 04/11/2013 02:47 PM, Bartek
Moczulski wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
hi,<br>
I've got a problem with using IPA as
authentication source over LDAP.<br>
Generally there are two approaches to
LDAP authentication:<br>
1. bind using admin account and read
passwords from user objects (but in<br>
ipa you cannot read passwords through
ldap, right?)<br>
2. "bind to authenticate" - service
tries to log in to ldap with user's<br>
credentials. If login is successful
authentication is also succesful -<br>
this approach does not work because
you cannot login to IPA ldap using<br>
bare username, you need a full LDAP
DN.<br>
</blockquote>
<br>
</div>
Most applications I know of that do "bind
as user" to authenticate also permit you
to specify a format string into which the
user name is inserted (i.e. the format
string is the dn, e.g.
"uid=%u,cn=users,cn=accounts,dc=example,dc=com")
-or- they do a search to discover the dn.
If you application does not support either
approach it's broken IMHO.<br>
</blockquote>
<div><br>
I have used this method for Confluence,
Jira, Stash, Icinga and Foreman.<br>
</div>
<div>I will be adding more applications in
the future as well.<br>
</div>
<div>If the application doesn't support
Kerberos it's the next best thing in my
opinion.<br>
I have also use it to get email lists into
dovecot and postfix.<br>
<br>
</div>
<div>One caveat I found is you need to tell
Atlassian applications that FreeIPA is a
plain OpenLDAP server to get it to work.<br>
</div>
<div>Apart from that it works "out of the
box" as they say.<br>
<br>
</div>
<div> <br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Reading passwords and/or password hashes
is not supported for security reasons.<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
Now, I've got a 3rd party application
supporting both mentioned above<br>
appoaches and the question is - how to
make it work with ipa?<br>
<br>
thanks in advance,<br>
Bartek.<br>
<br>
<br>
</div>
<div>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
<br>
</div>
</blockquote>
<span><font color="#888888">
<br>
<br>
-- <br>
John Dennis <<a href="mailto:jdennis@redhat.com" target="_blank">jdennis@redhat.com</a>><br>
<br>
Looking to carve out IT costs?<br>
<a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a></font></span>
<div>
<div><br>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Freeipa-users mailing list
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div></div>