On 12 April 2013 05:04, John Dennis <jden...@redhat.com> wrote: > On 04/11/2013 02:47 PM, Bartek Moczulski wrote: > >> hi, >> I've got a problem with using IPA as authentication source over LDAP. >> Generally there are two approaches to LDAP authentication: >> 1. bind using admin account and read passwords from user objects (but in >> ipa you cannot read passwords through ldap, right?) >> 2. "bind to authenticate" - service tries to log in to ldap with user's >> credentials. If login is successful authentication is also succesful - >> this approach does not work because you cannot login to IPA ldap using >> bare username, you need a full LDAP DN. >> > > Most applications I know of that do "bind as user" to authenticate also > permit you to specify a format string into which the user name is inserted > (i.e. the format string is the dn, e.g. > "uid=%u,cn=users,cn=accounts,**dc=example,dc=com") > -or- they do a search to discover the dn. If you application does not > support either approach it's broken IMHO. >
I have used this method for Confluence, Jira, Stash, Icinga and Foreman. I will be adding more applications in the future as well. If the application doesn't support Kerberos it's the next best thing in my opinion. I have also use it to get email lists into dovecot and postfix. One caveat I found is you need to tell Atlassian applications that FreeIPA is a plain OpenLDAP server to get it to work. Apart from that it works "out of the box" as they say. > > Reading passwords and/or password hashes is not supported for security > reasons. > > Now, I've got a 3rd party application supporting both mentioned above >> appoaches and the question is - how to make it work with ipa? >> >> thanks in advance, >> Bartek. >> >> >> ______________________________**_________________ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users> >> >> > > -- > John Dennis <jden...@redhat.com> > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > ______________________________**_________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users> >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users