Nicola,
perhaps it would help if you explain what did you mean by saying below
My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP
users not created by IPA.
When you enabled migration mode and actually migrated users with 'ipa
migrate-ds' command, you will have those users in IPA and they will be
able to authenticate via LDAP with their old passwords.
If your server (where your web app would be running) is enrolled into
IPA, then it would be already running SSSD and set up for using it via
pam_sss. Then configuring your web app to authenticate via PAM stack
(for example, like we explain on
http://www.freeipa.org/page/Web_App_Authentication)
takes care of properly logging in and updating passwords.
SSSD knows about migration mode and has support for it.
On Thu, 09 Jul 2015, Nicola Canepa wrote:
I don't understand the question: aren't users created by IPA command
line the same as if they are created via the web GUI?
Nicola
Il 09/07/15 13:05, Jan Pazdziora ha scritto:
On Thu, Jul 09, 2015 at 11:33:23AM +0200, Nicola Canepa wrote:
Hello.
I was trying Freeipa as an addition and (maybe) future replacement for the
current SSO solution (custom and only for web apps).
I was able to authenticate (via pam_exec) LDAP users on the legacy system.
My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP
users not created by IPA.
I enabled migration mode in Freeipa, so that authenticated users should get
Kerberos hash created upon first login, but I don't know how to make users
login without creating them in advance.
Is there a (suggested) way to let users authenticate via Kerberos and create
users authenticated by PAM upon first login?
Create user where -- in the Web application or in FreeIPA?
--
Nicola Canepa
Tel: +39-0522-399-3474
canep...@mmfg.it
---
Il contenuto della presente comunicazione è riservato e destinato
esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona
diversa dal destinatario sono proibite la diffusione, la distribuzione e la
copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e
di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati
contenuti. La presente comunicazione (comprensiva dei documenti allegati) non
avrà valore di proposta contrattuale e/o accettazione di proposte provenienti
dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti,
nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può
validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a
ns. carico, se la presente non sia seguita da contratto sottoscritto dalle
parti.
The content of the above communication is strictly confidential and reserved
solely for the referred addressees. In the event of receipt by persons
different from the addressee, copying, alteration and distribution are
forbidden. If received by mistake we ask you to inform us and to destroy and/or
delete from your computer without using the data herein contained. The present
message (eventual annexes inclusive) shall not be considered a contractual
proposal and/or acceptance of offer from the addressee, nor waiver recognizance
of rights, debts and/or credits, nor shall it be binding when not executed as
a subsequent agreement by persons who could lawfully represent us. No
pre-contractual liability shall apply to us when the present communication is
not followed by any binding agreement between the parties.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
