[Freeipa-users] Re: Setting up authentication for apache webserver (part 2) -- User is not unique

2022-01-12 Thread Simon Matthews via FreeIPA-users 
> this is normal (and desirable), the user is added in both users/accounts tree 
> and the
> compat tree.

If it is normal, it would be nice if the documentation reflected this. 

> I have had issues with nested groups when I fail to use the compat tree in my 
> LDAP
> integrations.
> 
I have problems with "Require ldap-group". I'll start a new thread for that. 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: Setting up authentication for apache webserver (part 2) -- User is not unique

2022-01-12 Thread Simon Matthews via FreeIPA-users 
> Simon Matthews via FreeIPA-users wrote:
> 
> Your URL needs to be more specific to find users, like
> cn=users,cn=accounts,dc=...
> 
> Or alternatively you could add an objectclass filter, but searching the
> entire tree for users is more work than necessary.
> 
> IPA maintains a separate, synthesized tree, for compatibility with
> RFC2307. This is the cn=compat entry you are seeing.
> 
> I'll also note that all users are in the group ipausers. IIRC it also
> has to be a dn but I could be wrong on that.
> 
> rob
Adding "cn=users,cn=accounts" to the AuthLDAPURL worked. I am able to 
authenticate specific users. However, I have not been able to get "Require 
ldap-group" to work. I'll start a new thread for that. 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: Setting up authentication for apache webserver (part 2) -- User is not unique

2022-01-11 Thread Grant Janssen via FreeIPA-users 
this is normal (and desirable), the user is added in both users/accounts tree 
and the compat tree.
I have had issues with nested groups when I fail to use the compat tree in my 
LDAP integrations.

- grant
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: Setting up authentication for apache webserver (part 2) -- User is not unique

2022-01-11 Thread Rob Crittenden via FreeIPA-users 
Simon Matthews via FreeIPA-users wrote:
> I seem to get two entries every time I create new user. This is causing the 
> webserver authentication to fail with the message about "User is not unique":
> 
> [Tue Jan 11 20:42:16.645046 2022] [authnz_ldap:debug] [pid 21005] 
> mod_authnz_ldap.c(505): [client 10.14.0.18:59704] AH01691: auth_ldap 
> authenticate: using URL 
> ldaps://ipa1.sj.bps:636/dc=ipa,dc=bluepearlsoftware,dc=com?uid?sub
> [Tue Jan 11 20:42:16.810661 2022] [authnz_ldap:info] [pid 21005] [client 
> 10.14.0.18:59704] AH01695: auth_ldap authenticate: user testuser 
> authentication failed; URI / [User is not unique (search found two or more 
> matches)][No such object]
> [Tue Jan 11 20:42:16.810715 2022] [auth_basic:error] [pid 21005] [client 
> 10.14.0.18:59704] AH01618: user testuser not found: /
> 
> # ipa user-add testuser
> First name: test
> Last name: user
> -
> Added user "testuser"
> -
>   User login: testuser
>   First name: test
>   Last name: user
>   Full name: test user
>   Display name: test user
>   Initials: tu
>   Home directory: /home/testuser
>   GECOS: test user
>   Login shell: /bin/sh
>   Principal name: testu...@ipa.bluepearlsoftware.com
>   Principal alias: testu...@ipa.bluepearlsoftware.com
>   Email address: testu...@ipa.bluepearlsoftware.com
>   UID: 129317
>   GID: 129317
>   Password: False
>   Member of groups: ipausers
>   Kerberos keys available: False
> 
> 
> [root@ipa1 scripts]# ldapsearch '(uid=testuser)'
> SASL/GSSAPI authentication started
> SASL username: ad...@ipa.bluepearlsoftware.com
> SASL SSF: 256
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base  (default) with scope subtree
> # filter: (uid=testuser)
> # requesting: ALL
> #
> 
> # testuser, users, compat, ipa.bluepearlsoftware.com
> dn: uid=testuser,cn=users,cn=compat,dc=ipa,dc=bluepearlsoftware,dc=com
> objectClass: posixAccount
> objectClass: ipaOverrideTarget
> objectClass: ipaOverrideTarget
> objectClass: top
> gecos: test user
> cn: test user
> uidNumber: 129317
> gidNumber: 129317
> loginShell: /bin/sh  
> homeDirectory: /home/testuser
> ipaAnchorUUID:: OklQQTppcGEuYmx1ZXBlYXJsc29mdHdhcmUuY29tOjBlYmM2ZGJlLTczNDgtMT
>  FlYy1iNWQ5LTUyNTQwMGI1NzZmYg==
> uid: testuser
> 
> # testuser, users, accounts, ipa.bluepearlsoftware.com
> dn: uid=testuser,cn=users,cn=accounts,dc=ipa,dc=bluepearlsoftware,dc=com
> displayName: test user
> uid: testuser
> krbCanonicalName: testu...@ipa.bluepearlsoftware.com
> objectClass: top
> objectClass: person  
> objectClass: organizationalperson
> objectClass: inetorgperson
> objectClass: inetuser
> objectClass: posixaccount
> objectClass: krbprincipalaux
> objectClass: krbticketpolicyaux
> objectClass: ipaobject
> objectClass: ipasshuser
> objectClass: ipaSshGroupOfPubKeys
> objectClass: mepOriginEntry
> loginShell: /bin/sh  
> initials: tu
> gecos: test user
> sn: user
> homeDirectory: /home/testuser
> mail: testu...@ipa.bluepearlsoftware.com
> krbPrincipalName: testu...@ipa.bluepearlsoftware.com
> givenName: test
> cn: test user
> ipaUniqueID: 0ebc6dbe-7348-11ec-b5d9-525400b576fb
> uidNumber: 129317
> gidNumber: 129317
> mepManagedEntry: cn=testuser,cn=groups,cn=accounts,dc=ipa,dc=bluepearlsoftware
>  ,dc=com
> memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=bluepearlsoftware,dc=com
> 
> # search result
> search: 4
> result: 0 Success
> 
> # numResponses: 3
> # numEntries: 2
> 
> Relevant part of Apache config file:
> LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
> LoadModule ldap_module modules/mod_ldap.so
> LoadModule authz_core_module modules/mod_authz_core.so
> LoadModule authn_core_module modules/mod_authn_core.so
> Loglevel authnz_ldap_module:debug
> LDAPTrustedGlobalCert CA_BASE64 /etc/httpd/certs/ca.crt
> 
> AuthType Basic
> AuthName "Blue Pearl"
> AuthBasicProvider ldap
> AuthLDAPURL 
> ldaps://ipa1.sj.bps:636/dc=ipa,dc=bluepearlsoftware,dc=com?uid?sub

Your URL needs to be more specific to find users, like
cn=users,cn=accounts,dc=...

Or alternatively you could add an objectclass filter, but searching the
entire tree for users is more work than necessary.

IPA maintains a separate, synthesized tree, for compatibility with
RFC2307. This is the cn=compat entry you are seeing.

I'll also note that all users are in the group ipausers. IIRC it also
has to be a dn but I could be wrong on that.

rob

> # AuthLDAPURL 
> ldaps://ipa1.sj.bps:636/dc=ipa,dc=bluepearlsoftware,dc=com
> AuthLDAPBindDN  
> uid=httpbind,cn=sysaccounts,cn=etc,dc=ipa,dc=bluepearlsoftware,dc=com
> AuthLDAPBindPassword 
> 
> Require ldap-group ipausers
> #   Require ldap-group 
> AuthLDAPGroupAttributeIsDN off
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>