Hi All, I'm trying to integrate Freeipa with jenkins and ldap auth plugin.
The thing with the Freeipa LDAP server is: * Only Directory Manager can read userPassword field (not sure yet how to create a sysaccount which can read the field. ldifs are welcome ;) * The userPassword field contains the password in salted SHA (SSHA) format. >From what I've observed the standard LDAP auth functions do not do the SSHA or any other type of calculations. The password is compared to the plain text that's usually(in a typical OpenLDAP server) stored in the userPassword field(correct me if I'm wrong) * I've managed to integrate CACTI with freeipa by base64 decoding the userPassword field then calculating the salted hash and comparing to the userPassword field. (php code modification was required). * I think the only way is to modify the jenkins LDAP plugin (?). The problem: * I don't want to use sssd PAM because we have OTP enabled and that would annoy users(?) additionally it's causing some unidentified build issues BTW> Can I disable OTP per server? * I can not integrate Kerberos/GSSAPI/SPNEGO because the PCs are not connected to the principal(no control over them yet) * I want simple LDAP auth ;-) Ideas & suggestions are welcome! M. On Sat, Feb 11, 2017 at 4:28 PM, Michael Ströder <mich...@stroeder.com> wrote: > Alexander Bokovoy wrote: > > On la, 11 helmi 2017, Michael Ströder wrote: > >> Alexander Bokovoy wrote: > >>> On la, 11 helmi 2017, Harald Dunkel wrote: > >>>> On 02/11/17 11:57, Alexander Bokovoy wrote: > >>>>> On la, 11 helmi 2017, Michael Ströder wrote: > >>>>>> > >>>>>> (Personally I'd avoid going through PAM.) > >>>>> Any specific reason for not using pam_sss? Remember, with SSSD > involved > >>>>> you get also authentication for trusted users from Active Directory > >>>>> realms. You don't get that with generic LDAP way. Also, you'd be more > >>>>> efficient in terms of utilising LDAP connections. > >>>>> > >>>> > >>>> I would prefer if the users are not allowed to login into a > >>>> shell on the Jenkins server. Surely this restriction can be > >>>> implemented with pam as well. > >>> > >>> Yes, you can use HBAC rules to prevent them from access to the host. > >> > >> But this introduces a hard dependency on host system administration > which I personally > >> always try to avoid. > >> > >> As said: Your mileage may vary. > > > > So we are talking about FreeIPA and a system enrolled to FreeIPA. This > > system is already managed in FreeIPA. > > Please don't get me wrong. Of course I assume that the original poster > wants to integrate > Jenkins with FreeIPA and make use of users and their group membership > already maintained > therein. > > Let's further assume that the service (here Jenkins) might be operated by > another team > than the system - not so unusual case at my customers' sites - relying on > defining HBAC > rules for the system's sssd might not be feasible. > > > Your mileage may vary, indeed, but I'd rather re-use what is available > > to you than implement a parallel infrastructure, including reliability > > aspects. > > Of course we both agree on the benefits of using what's already available. > > > Anyway, I think we are distancing away from the original topic. > > Especially since we both can only make rough assumptions about > requirements and > operational constraints of the original poster. > > Ciao, Michael. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Best regards Maciej Drobniuch Network Security Engineer Collective-Sense,LLC
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project