Hi Per, could you define “working configuration” requirements and what’s iPad specific? Anyway, below is my setup with Centos Apache to authenticate against IPA via LDAP using either username (uid) or e-mail. No Kerberos or GSSAPI used, just “pure” LDAP. Please note, IPA group “shareusers” membership is required. IPA host is im.example.com With kind regards, Ivars
File /etc/httpd/access/ldap.conf AuthName "File service login" # AuthBasicProviders are defined in ../conf.d/00-ldap.conf AuthBasicProvider ldap-uid ldap-mail AuthType Basic # Even if AuthLDAPURL is defined in AuthnProviderAlias in ../conf.d/00-ldap.conf and processed earlier # these directives are mandatory to authorize after authentication AuthLDAPURL ldaps://im.example.com/cn=users,cn=accounts,dc=example,dc=com?mail?sub?(memberOf=cn=shareusers,cn=groups,cn=accounts,dc=example,dc=com) AuthLDAPInitialBindAsUser On AuthLDAPSearchAsUser On AuthLDAPCompareAsUser On File /etc/httpd/conf.d/00-ldap.conf LDAPTrustedGlobalCert CA_BASE64 /etc/ipa/ca.crt # AuthnProviderAlias must be defined here, it cannot be in VirtualHost # because ../access/ldap.conf is VirtualHost level # ldap-mail is tried last (after ldap-uid) <AuthnProviderAlias ldap ldap-mail> AuthLDAPURL ldaps://im.example.com/cn=users,cn=accounts,dc=example,dc=com?mail?sub?(memberOf=cn=shareusers,cn=groups,cn=accounts,dc=example,dc=com) # this one (last) must be authoritative # AuthLDAPBindAuthoritative off AuthLDAPInitialBindAsUser On AuthLDAPSearchAsUser On AuthLDAPCompareAsUser On AuthLDAPInitialBindPattern (.+)\@(.+) uid=$1,cn=users,cn=accounts,dc=example,dc=com </AuthnProviderAlias> # ldap-uid is tried first <AuthnProviderAlias ldap ldap-uid> AuthLDAPURL ldaps://im.example.com/cn=users,cn=accounts,dc=example,dc=com?uid?sub?(memberOf=cn=shareusers,cn=groups,cn=accounts,dc=example,dc=com) # first one is NOT authoritative AuthLDAPBindAuthoritative off AuthLDAPInitialBindAsUser On AuthLDAPSearchAsUser On AuthLDAPCompareAsUser On AuthLDAPInitialBindPattern (.+) uid=$1,cn=users,cn=accounts,dc=example,dc=com </AuthnProviderAlias> > On 2017. gada 8. aug., at 15:11, Per Qvindesland via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > Hi All > > Does anyone have any working mod_ldap configuration for Centos 7 with apache > 2.4.6 with iPad to share? > > Regards > Per > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org