On ma, 23 tammi 2023, Alexander Bokovoy via FreeIPA-users wrote:
On ma, 23 tammi 2023, John Smith via FreeIPA-users wrote:
HI All, recently I managed to run FreeIPA 4.10.1 on Fedora 37 and
eveyrhting works fine, I set up also a IPA client on other instance and
here I'm also able to log with Azure Account. However we have in our
config many different OS'es.
As far as I see first implementation of OAuth2.0 was placed in release
4.9.10 -> https://www.freeipa.org/page/Releases/4.9.10
---
Highlights in 4.9.10
1539: [RFE] Add code to check password expiration on ldap bind
User can no longer do LDAP BIND operation with expired password.
8803: Add support for managing IdP references
FreeIPA can now authenticate users with the help of OAuth 2.0 identity
providers supporting OAuth 2.0 Device Authorization Flow. IdPs known to work
are Keycloak, Microsoft Azure, Google, Github, and Okta. Details on how to use
Keycloak can be found in FreeIPA workshop:
https://freeipa.readthedocs.io/en/latest/workshop/12-external-idp-support.html
---
We have on board instances with Ubuntu 22.04 for example, and as I see
the newest package for this OS is freeipa-client_4.9.8-1_amd64.deb,
I've tried to do the flow there but as I suspected it is not working,
there is not even a request to log azure site for authorization and I
suspect this is OK, as according to above it is not yet supported.
However I tried to do the same with Ubuntu 23.04 (lunar), where the
newest available package is freeipa-client_4.9.11-1_amd64.deb, which
gives me hope that this would allows us to proceed with flow:
https://freeipa.readthedocs.io/en/latest/workshop/12-external-idp-support.html#troubleshooting-idp-integration
as above there was a statement that it was already introduced in
version 4.9.10. Sadly behaviour is exactly the same like it was on
Ubuntu 22.04.(there is no even logs for otpd - like such module is not
even installed with this Client version)
Do you Guys know if the 4.9.10 woudl allows us to do the OAuth2.0 be
proceeded succesfully or inded it has to be at least 4.10 like it is
providedd in documentation?
Client side depends on SSSD and MIT Kerberos. So you need to look at
[SSSD git tree] git tag --contains 68a8a2d71b77fbc5e7a748307ac4164ebd8125f3
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.8.0
2.8.1
2.8.2
Anything before 2.8.0 is most likely a backport in RHEL. Any other
distributions than RHEL 8.7/9.1 and rebuilds or Fedora 36+ aren't
guaranteed to have anything. In particular, FreeIPA upstream team does
not maintain anything in Ubuntu or Debian Linux distributions
themselves, so any specific feature parity is purely a question to the
specific distribution maintainers, not here.
Judging by https://launchpad.net/sssd, 23.04 and 22.10 should have
sssd-idp package.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
