[Freeipa-users] LDAP authentication for 3rd party
Rob Crittenden
rcritten at redhat.com
Thu Apr 11 18:59:29 UTC 2013
Bartek Moczulski wrote:
> hi,
> I've got a problem with using IPA as authentication source over LDAP.
> Generally there are two approaches to LDAP authentication:
> 1. bind using admin account and read passwords from user objects (but in
> ipa you cannot read passwords through ldap, right?)
> 2. "bind to authenticate" - service tries to log in to ldap with user's
> credentials. If login is successful authentication is also succesful -
> this approach does not work because you cannot login to IPA ldap using
> bare username, you need a full LDAP DN.
>
> Now, I've got a 3rd party application supporting both mentioned above
> appoaches and the question is - how to make it work with ipa?
>
> thanks in advance,
We won't do #1. In our opinion it is insecure to share password hashes.
For #2 AFAIK LDAP simple bind requires a DN. Typically the app does a
search on the uid, gets the DN, then attempts a bind.
I'd be curious to know what LDAP servers your 3rd party app is certified
against.
rob
More information about the Freeipa-users
mailing list