[Freeipa-users] LDAP authentication for 3rd party
Peter Brown
rendhalver at gmail.com
Fri Apr 12 05:58:24 UTC 2013
On 12 April 2013 15:51, Simon Williams <simon.williams at thehelpfulcat.com>wrote:
> I use Atlassian products, but use Crowd to provide single signon. This
> means that Crowd is the only application that needs to authenticate against
> LDAP. I found that I had to tell Crowd that the server was 389 DS. I could
> not get it to work set to OpenLDAP.
>
I had a look at crowd but it seemed like overkill when I could just point
everything at FreeIPA.
We are a small shop so the extra queries weren't going to affect much.
I tried telling my Atlaassian apps that freeipa was a 389 ds server but it
refused to work properly.
Slightly strange considering the ldap modules for all of them are the same
as the one used in crowd.
> Regards
>
> Simon
> On 11 Apr 2013 23:36, "Peter Brown" <rendhalver at gmail.com> wrote:
>
>> On 12 April 2013 05:04, John Dennis <jdennis at redhat.com> wrote:
>>
>>> On 04/11/2013 02:47 PM, Bartek Moczulski wrote:
>>>
>>>> hi,
>>>> I've got a problem with using IPA as authentication source over LDAP.
>>>> Generally there are two approaches to LDAP authentication:
>>>> 1. bind using admin account and read passwords from user objects (but in
>>>> ipa you cannot read passwords through ldap, right?)
>>>> 2. "bind to authenticate" - service tries to log in to ldap with user's
>>>> credentials. If login is successful authentication is also succesful -
>>>> this approach does not work because you cannot login to IPA ldap using
>>>> bare username, you need a full LDAP DN.
>>>>
>>>
>>> Most applications I know of that do "bind as user" to authenticate also
>>> permit you to specify a format string into which the user name is inserted
>>> (i.e. the format string is the dn, e.g. "uid=%u,cn=users,cn=accounts,**dc=example,dc=com")
>>> -or- they do a search to discover the dn. If you application does not
>>> support either approach it's broken IMHO.
>>>
>>
>> I have used this method for Confluence, Jira, Stash, Icinga and Foreman.
>> I will be adding more applications in the future as well.
>> If the application doesn't support Kerberos it's the next best thing in
>> my opinion.
>> I have also use it to get email lists into dovecot and postfix.
>>
>> One caveat I found is you need to tell Atlassian applications that
>> FreeIPA is a plain OpenLDAP server to get it to work.
>> Apart from that it works "out of the box" as they say.
>>
>>
>>
>>>
>>> Reading passwords and/or password hashes is not supported for security
>>> reasons.
>>>
>>> Now, I've got a 3rd party application supporting both mentioned above
>>>> appoaches and the question is - how to make it work with ipa?
>>>>
>>>> thanks in advance,
>>>> Bartek.
>>>>
>>>>
>>>> ______________________________**_________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>>>>
>>>>
>>>
>>> --
>>> John Dennis <jdennis at redhat.com>
>>>
>>> Looking to carve out IT costs?
>>> www.redhat.com/carveoutcosts/
>>>
>>>
>>> ______________________________**_________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130412/02eeeb4d/attachment.htm>
More information about the Freeipa-users
mailing list