On 12 April 2013 15:51, Simon Williams <simon.willi...@thehelpfulcat.com>wrote:
> I use Atlassian products, but use Crowd to provide single signon. This > means that Crowd is the only application that needs to authenticate against > LDAP. I found that I had to tell Crowd that the server was 389 DS. I could > not get it to work set to OpenLDAP. > I had a look at crowd but it seemed like overkill when I could just point everything at FreeIPA. We are a small shop so the extra queries weren't going to affect much. I tried telling my Atlaassian apps that freeipa was a 389 ds server but it refused to work properly. Slightly strange considering the ldap modules for all of them are the same as the one used in crowd. > Regards > > Simon > On 11 Apr 2013 23:36, "Peter Brown" <rendhal...@gmail.com> wrote: > >> On 12 April 2013 05:04, John Dennis <jden...@redhat.com> wrote: >> >>> On 04/11/2013 02:47 PM, Bartek Moczulski wrote: >>> >>>> hi, >>>> I've got a problem with using IPA as authentication source over LDAP. >>>> Generally there are two approaches to LDAP authentication: >>>> 1. bind using admin account and read passwords from user objects (but in >>>> ipa you cannot read passwords through ldap, right?) >>>> 2. "bind to authenticate" - service tries to log in to ldap with user's >>>> credentials. If login is successful authentication is also succesful - >>>> this approach does not work because you cannot login to IPA ldap using >>>> bare username, you need a full LDAP DN. >>>> >>> >>> Most applications I know of that do "bind as user" to authenticate also >>> permit you to specify a format string into which the user name is inserted >>> (i.e. the format string is the dn, e.g. >>> "uid=%u,cn=users,cn=accounts,**dc=example,dc=com") >>> -or- they do a search to discover the dn. If you application does not >>> support either approach it's broken IMHO. >>> >> >> I have used this method for Confluence, Jira, Stash, Icinga and Foreman. >> I will be adding more applications in the future as well. >> If the application doesn't support Kerberos it's the next best thing in >> my opinion. >> I have also use it to get email lists into dovecot and postfix. >> >> One caveat I found is you need to tell Atlassian applications that >> FreeIPA is a plain OpenLDAP server to get it to work. >> Apart from that it works "out of the box" as they say. >> >> >> >>> >>> Reading passwords and/or password hashes is not supported for security >>> reasons. >>> >>> Now, I've got a 3rd party application supporting both mentioned above >>>> appoaches and the question is - how to make it work with ipa? >>>> >>>> thanks in advance, >>>> Bartek. >>>> >>>> >>>> ______________________________**_________________ >>>> Freeipa-users mailing list >>>> Freeipa-users@redhat.com >>>> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users> >>>> >>>> >>> >>> -- >>> John Dennis <jden...@redhat.com> >>> >>> Looking to carve out IT costs? >>> www.redhat.com/carveoutcosts/ >>> >>> >>> ______________________________**_________________ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users> >>> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
