I am setting up LDAP authentication with a remote service. On https://www.freeipa.org/page/HowTo/LDAP it says the following:
"Do not use the Directory Manager account to authenticate remote services to the IPA LDAP server. Use a system account, created like this:" I followed the steps there to create an entry under sysaccounts, and confirmed it is there using ldapsearch: ldapsearch -D 'cn=Directory Manager' -W -H ldap://ipa01.example.com -x uid=remoteu # remoteu, sysaccounts, etc, example.com dn: uid=remoteu,cn=sysaccounts,cn=etc,dc=example,dc=com objectClass: account objectClass: simplesecurityobject objectClass: top uid: remoteu userPassword:: [hash value] This new user is unable to run LDAP searches though: ldapsearch -D 'cn=remoteu' -W -H ldap://ipa01.example.com -x uid=remoteu Enter LDAP Password: ldap_bind: Invalid credentials (49) The new user is also unable to authenticate the remote service. (The Directory Manager user is able to authenticate the remote service, although as pointed out above, that's not a good idea.) The How-To LDAP page also notes: "IPA 4.0 is going to change the default stance on data from nearly everything is readable to nothing is readable, by default. You will eventually need to add some Access Control Instructions (ACI's) to grant read access to the parts of the LDAP tree you will need." I'm not sure if that's part of the issue or not. I'm using IPA version 4.4.0. Thanks in advance for any suggestions. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project