[Freeipa-users] LDAP authentication for 3rd party
Peter Brown
rendhalver at gmail.com
Thu Apr 11 22:32:43 UTC 2013
On 12 April 2013 05:04, John Dennis <jdennis at redhat.com> wrote:
> On 04/11/2013 02:47 PM, Bartek Moczulski wrote:
>
>> hi,
>> I've got a problem with using IPA as authentication source over LDAP.
>> Generally there are two approaches to LDAP authentication:
>> 1. bind using admin account and read passwords from user objects (but in
>> ipa you cannot read passwords through ldap, right?)
>> 2. "bind to authenticate" - service tries to log in to ldap with user's
>> credentials. If login is successful authentication is also succesful -
>> this approach does not work because you cannot login to IPA ldap using
>> bare username, you need a full LDAP DN.
>>
>
> Most applications I know of that do "bind as user" to authenticate also
> permit you to specify a format string into which the user name is inserted
> (i.e. the format string is the dn, e.g. "uid=%u,cn=users,cn=accounts,**dc=example,dc=com")
> -or- they do a search to discover the dn. If you application does not
> support either approach it's broken IMHO.
>
I have used this method for Confluence, Jira, Stash, Icinga and Foreman.
I will be adding more applications in the future as well.
If the application doesn't support Kerberos it's the next best thing in my
opinion.
I have also use it to get email lists into dovecot and postfix.
One caveat I found is you need to tell Atlassian applications that FreeIPA
is a plain OpenLDAP server to get it to work.
Apart from that it works "out of the box" as they say.
>
> Reading passwords and/or password hashes is not supported for security
> reasons.
>
> Now, I've got a 3rd party application supporting both mentioned above
>> appoaches and the question is - how to make it work with ipa?
>>
>> thanks in advance,
>> Bartek.
>>
>>
>> ______________________________**_________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>>
>>
>
> --
> John Dennis <jdennis at redhat.com>
>
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
> ______________________________**_________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130412/15089967/attachment.htm>
More information about the Freeipa-users
mailing list