Yes it works if I specify the -s as ldap.mycorp.com. So we have progress! It now appears to authenticate fine when it posts the session but I have a new error.
I get an Ipa Error 911 "Missing HTTP referer. <br/> You have to configure your browser to send HTTP referer header." I assume this is because the external name doesn't match the internal name. Is there a way to modify this somewhere? Thanks. Steve On Mon, Feb 3, 2014 at 4:40 AM, Sumit Bose <sb...@redhat.com> wrote: > On Fri, Jan 31, 2014 at 01:50:58PM -0800, Steve Severance wrote: > > Hi Sumit, That does indeed work. What does that tell us? > > I'm sorry, but it only tells that in general GSSAPI/Kerberos is working. > I think it does not help much with your original issue. About > ipa-getkeytab, does it work if you specify the server with the > -s/--server option? > > > bye, > Sumit > > > > > Steve > > > > > > On Wed, Jan 29, 2014 at 12:11 AM, Sumit Bose <sb...@redhat.com> wrote: > > > > > On Tue, Jan 28, 2014 at 02:29:07PM -0800, Steve Severance wrote: > > > > Hi Everyone, > > > > > > > > I have deployed freeipa inside our production network. I want to be > able > > > to > > > > access the web ui so I am attempting to add it to our nginx edge > > > machine. I > > > > can pass the requests upstream just fine but I am unable to login > using a > > > > username/password. I have enabled password authentication in the > kerberos > > > > section of the freeipa httpd config file. In the logs it looks like > the > > > > authentication succeeds and a ticket is issued. I assume that the > cookie > > > > that is returned (ipa_session) has the authentication information in > it. > > > > The subsequent call to get json data fails and I am prompted to login > > > again. > > > > > > > > I found this thread ( > > > > > https://www.redhat.com/archives/freeipa-users/2013-August/msg00080.html) > > > > which has instructions on adding ipa.mydomain.com to the keytab. > When I > > > > call ipa-getkeytab it hangs for a bit before returning: > > > ldap_sasl_bind(SIMPLE): > > > > Can't contact LDAP server (-1) > > > > > > > > Digging into this if I run: ldapsearch -d 1 -v -H ldaps:// > > > ldap.mydomain.com > > > > > > > > I get: > > > > ldap_sasl_interactive_bind_s: Unknown authentication method (-6) > > > > additional info: SASL(-4): no mechanism available: > > > > > > Does it work if you add the mechanism explicitly, e.g. 'ldapsearch -Y > > > GSSAPI ....' ? > > > > > > bye, > > > Sumit > > > > > > > > > > > So we seem to have a SASL problem. If I run ldapsearch with -x simple > > > > authentication works just fine. > > > > > > > > Do I need to do something special to enable SASL so I can get the > keytab? > > > > The ipa-getkeytab command does not seem to have an option to use > simple > > > > authentication. > > > > > > > > Thanks. > > > > > > > > Steve > > > > > > > _______________________________________________ > > > > Freeipa-users mailing list > > > > Freeipa-users@redhat.com > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- Steve Severance Director of Engineering Altos Research e. st...@altosresearch.com m. (240) 472 - 9645
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users