<div dir="ltr">Hello Martin,<div> </div><div>Thanks that does help, I didn't know about this project. I will try this approach first. Seems like it will be better integrated with FreeIPA and in general more maintainable than PWM.</div></div><div class="gmail_extra"> <div class="gmail_quote">On 21 April 2016 at 09:59, Martin Kosek <<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 04/20/2016 05:23 PM, Tiemen Ruiten wrote: > Hello, > > I'm trying to set up a self-service page for a new IPA domain and I'm trying to > use PWM for that. > > When I try to bind to FreeIPA from within PWM, with the configured "LDAP Proxy > User", I get the following error: > > error connecting to ldap server 'ldaps://<a href="http://polonium.ipa.rdmedia.com:636" rel="noreferrer" target="_blank">polonium.ipa.rdmedia.com:636</a> > <<a href="http://polonium.ipa.rdmedia.com:636" rel="noreferrer" target="_blank">http://polonium.ipa.rdmedia.com:636</a>>': unable to create connection: unable to > bind to ldaps://<a href="http://polonium.ipa.rdmedia.com:636" rel="noreferrer" target="_blank">polonium.ipa.rdmedia.com:636</a> > <<a href="http://polonium.ipa.rdmedia.com:636" rel="noreferrer" target="_blank">http://polonium.ipa.rdmedia.com:636</a>> as > cn=svcpwmproxy,cn=groups,cn=accounts,dc=ipa,dc=rdmedia,dc=com reason: [LDAP: > error code 48 - Inappropriate Authentication] > > In /var/log/krb5kdc.log I see: > > Apr 20 17:12:29 <a href="http://polonium.ipa.rdmedia.com" rel="noreferrer" target="_blank">polonium.ipa.rdmedia.com</a> <<a href="http://polonium.ipa.rdmedia.com" rel="noreferrer" target="_blank">http://polonium.ipa.rdmedia.com</a>> > krb5kdc[25760](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.50.33 > <<a href="http://192.168.50.33" rel="noreferrer" target="_blank">http://192.168.50.33</a>>: NEEDED_PREAUTH: > host/<a href="mailto:protactinium.ipa.rdmedia.com@IPA.RDMEDIA.COM">protactinium.ipa.rdmedia.com@IPA.RDMEDIA.COM</a> > <mailto:<a href="mailto:protactinium.ipa.rdmedia.com@IPA.RDMEDIA.COM">protactinium.ipa.rdmedia.com@IPA.RDMEDIA.COM</a>> for > krbtgt/<a href="mailto:IPA.RDMEDIA.COM@IPA.RDMEDIA.COM">IPA.RDMEDIA.COM@IPA.RDMEDIA.COM</a> <mailto:<a href="mailto:IPA.RDMEDIA.COM@IPA.RDMEDIA.COM">IPA.RDMEDIA.COM@IPA.RDMEDIA.COM</a>>, > Additional pre-authentication required > Apr 20 17:12:29 <a href="http://polonium.ipa.rdmedia.com" rel="noreferrer" target="_blank">polonium.ipa.rdmedia.com</a> <<a href="http://polonium.ipa.rdmedia.com" rel="noreferrer" target="_blank">http://polonium.ipa.rdmedia.com</a>> > krb5kdc[25760](info): closing down fd 12 > Apr 20 17:12:29 <a href="http://polonium.ipa.rdmedia.com" rel="noreferrer" target="_blank">polonium.ipa.rdmedia.com</a> <<a href="http://polonium.ipa.rdmedia.com" rel="noreferrer" target="_blank">http://polonium.ipa.rdmedia.com</a>> > krb5kdc[25760](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.50.33 > <<a href="http://192.168.50.33" rel="noreferrer" target="_blank">http://192.168.50.33</a>>: ISSUE: authtime 1461165149, etypes {rep=18 tkt=18 > ses=18}, host/<a href="mailto:protactinium.ipa.rdmedia.com@IPA.RDMEDIA.COM">protactinium.ipa.rdmedia.com@IPA.RDMEDIA.COM</a> > <mailto:<a href="mailto:protactinium.ipa.rdmedia.com@IPA.RDMEDIA.COM">protactinium.ipa.rdmedia.com@IPA.RDMEDIA.COM</a>> for > krbtgt/<a href="mailto:IPA.RDMEDIA.COM@IPA.RDMEDIA.COM">IPA.RDMEDIA.COM@IPA.RDMEDIA.COM</a> <mailto:<a href="mailto:IPA.RDMEDIA.COM@IPA.RDMEDIA.COM">IPA.RDMEDIA.COM@IPA.RDMEDIA.COM</a>> > Apr 20 17:12:29 <a href="http://polonium.ipa.rdmedia.com" rel="noreferrer" target="_blank">polonium.ipa.rdmedia.com</a> <<a href="http://polonium.ipa.rdmedia.com" rel="noreferrer" target="_blank">http://polonium.ipa.rdmedia.com</a>> > krb5kdc[25760](info): closing down fd 12 > Apr 20 17:12:29 <a href="http://polonium.ipa.rdmedia.com" rel="noreferrer" target="_blank">polonium.ipa.rdmedia.com</a> <<a href="http://polonium.ipa.rdmedia.com" rel="noreferrer" target="_blank">http://polonium.ipa.rdmedia.com</a>> > krb5kdc[25760](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.50.33 > <<a href="http://192.168.50.33" rel="noreferrer" target="_blank">http://192.168.50.33</a>>: ISSUE: authtime 1461165149, etypes {rep=18 tkt=18 > ses=18}, host/<a href="mailto:protactinium.ipa.rdmedia.com@IPA.RDMEDIA.COM">protactinium.ipa.rdmedia.com@IPA.RDMEDIA.COM</a> > <mailto:<a href="mailto:protactinium.ipa.rdmedia.com@IPA.RDMEDIA.COM">protactinium.ipa.rdmedia.com@IPA.RDMEDIA.COM</a>> for > ldap/<a href="mailto:polonium.ipa.rdmedia.com@IPA.RDMEDIA.COM">polonium.ipa.rdmedia.com@IPA.RDMEDIA.COM</a> > <mailto:<a href="mailto:polonium.ipa.rdmedia.com@IPA.RDMEDIA.COM">polonium.ipa.rdmedia.com@IPA.RDMEDIA.COM</a>> > Apr 20 17:12:29 <a href="http://polonium.ipa.rdmedia.com" rel="noreferrer" target="_blank">polonium.ipa.rdmedia.com</a> <<a href="http://polonium.ipa.rdmedia.com" rel="noreferrer" target="_blank">http://polonium.ipa.rdmedia.com</a>> > krb5kdc[25760](info): closing down fd 12 > > What is going on? What can I do to debug this more? > > > -- > Tiemen Ruiten > Systems Engineer > R&D Media Hello Tiemen, Just for the record, in FreeIPA we have been also working on our own version of the Community Portal that could be useful for the registration and is already well integrated with FreeIPA: <a href="https://github.com/freeipa/freeipa-community-portal" rel="noreferrer" target="_blank">https://github.com/freeipa/freeipa-community-portal</a> <a href="http://freeipa-community-portal.readthedocs.org/en/latest/" rel="noreferrer" target="_blank">http://freeipa-community-portal.readthedocs.org/en/latest/</a> CCing Christian who currently owns the project. HTH, Martin </blockquote></div> <div> </div>-- <div class="gmail_signature"><div dir="ltr">Tiemen Ruiten Systems Engineer R&D Media </div></div> </div>