[Freeipa-users] FreeIPA mail object to use in 3rd party tool

Christopher Lamb christopher.lamb at ch.ibm.com
Mon Jun 29 09:26:01 UTC 2015 

Hi all

I am fighting this exact problem too.

We had setup Jira, integrated to FreeIPA with the option "Internal
Directory with LDAP Authentication", using anonymous bind.

This integration path means that when a FreeIPA user attempts to logon to
Jira with his FreeIPA Credentials, his user is replicated from FreeIPA to
the Jira user directory.

https://confluence.atlassian.com/display/JIRA/Connecting+to+an+Internal
+Directory+with+LDAP+Authentication

While this allows FreeIPA users to successfully log in to Jira, the user
was replicated without email, which renders Jira as useful as a chocolate
teepot.

Alexanders's reply prompted me to "go back to basics". So I fired up Apache
Directory Studio, and the command line to do some ldapsearchs, to see what
was returned. This should then guide me how to configure the JIRA / FreeIPA
integration.


Query 1: Anonymous bind, filter is uid = bilbo

[root at xxx-ldap ~]# ldapsearch -x -h localhost -p 389 -b
"dc=my,dc=silly,dc=example,dc=com" "(uid=bilbo)"
# extended LDIF
#
# LDAPv3
# base <dc=my,dc=silly,dc=example,dc=com> with scope subtree
# filter: (uid=bilbo)
# requesting: ALL
#

# bilbo, users, compat, my.ch.example.com
dn: uid=bilbo,cn=users,cn=compat,dc=my,dc=silly,dc=example,dc=com
cn: bilbo bagins
objectClass: posixAccount
objectClass: top
gidNumber: 1175800010
gecos: bilbo bagins
uidNumber: 1175800010
loginShell: /bin/sh
homeDirectory: /home/bilbo
uid: bilbo

# bilbo, users, accounts, my.ch.example.com
dn: uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com
displayName: bilbo bagins
cn: bilbo bagins
objectClass: ipaobject
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: sambaSAMAccount
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
initials: bb
gecos: bilbo bagins
homeDirectory: /home/bilbo
uid: bilbo
givenName: bilbo
sn: bagins
uidNumber: 1175800010
gidNumber: 1175800010

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

This returns 2 replies, inc one from the compat tree, as suggested by
Alexander. Note however, neither reply has the mail attribute!

//////////////////////////////////////////////////////////////////////////////////////////////////////////////

Query 2: Anonymous bind,  filtered on objectClass = inetorgperson AND uid =
bilbo (This is probably close to the JiRA query, which includes
inetorgperson)

[root at xxx-ldap ~]# ldapsearch -x -h localhost -p 389 -b
"dc=my,dc=silly,dc=example,dc=com"
"(&(objectClass=inetorgperson)(uid=bilbo))"
# extended LDIF
#
# LDAPv3
# base <dc=my,dc=silly,dc=example,dc=com> with scope subtree
# filter: (&(objectClass=inetorgperson)(uid=bilbo))
# requesting: ALL
#

# bilbo, users, accounts, my.ch.example.com
dn: uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com
displayName: bilbo bagins
cn: bilbo bagins
objectClass: ipaobject
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: sambaSAMAccount
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
initials: bb
gecos: bilbo bagins
homeDirectory: /home/bilbo
uid: bilbo
givenName: bilbo
sn: bagins
uidNumber: 1175800010
gidNumber: 1175800010

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

This now returns 1 record, from users, accounts, but still no mail
attribute

//////////////////////////////////////////////////////////////////////////////////////////////////////////////

Ah! me thinks - what about a search with user and password? Does this get
us something different?

Query 3: same as query 2, but no longer anonymous:

[root at xxx-ldap ~]# ldapsearch -x -D
"uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com" -W -h
localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com"
"(&(objectClass=inetorgperson)(uid=bilbo))"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=my,dc=silly,dc=example,dc=com> with scope subtree
# filter: (&(objectClass=inetorgperson)(uid=bilbo))
# requesting: ALL
#

# bilbo, users, accounts, my.ch.example.com
dn: uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com
displayName: bilbo bagins
cn: bilbo bagins
objectClass: ipaobject
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: sambaSAMAccount
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
initials: bb
gecos: bilbo bagins
homeDirectory: /home/bilbo
uid: bilbo
mail: lamb at ch.example.com
krbPrincipalName: bilbo at my.silly.example.COM
givenName: bilbo
sn: bagins
ipaUniqueID: 3bf7e2e0-0955-11e5-b065-080027f52872
uidNumber: 1175800010
gidNumber: 1175800010
krbPasswordExpiration: 20150831183039Z
krbLastPwdChange: 20150602183039Z
memberOf:
cn=ipausers,cn=groups,cn=accounts,dc=my,dc=silly,dc=example,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

That is much more like it:  Performing the query with an ldap user and
password gives me many more attributes, including the desired mail
attribute.

Next I will configure JIRA to bind to FreeIPA with a FreeIPA user (non-
anonymous bind), and report back ... (unless there is a way to configure
which attributes are available to anonymous binds ...)

Cheers

Chris



From:	Alexander Bokovoy <abokovoy at redhat.com>
To:	Markus.Moj at mc.ingenico.com
Cc:	freeipa-users at redhat.com
Date:	28.06.2015 15:26
Subject:	Re: [Freeipa-users] FreeIPA mail object to use in 3rd party
            tool
Sent by:	freeipa-users-bounces at redhat.com



On Thu, 18 Jun 2015, Markus.Moj at mc.ingenico.com wrote:
>Hi @all,
>
>
>
>I am new to freeIPA operating and are facing an issue with mail object
>in freeIPA. We are running Jira from Atlassian and are trying to
>authenticate against freeIPA. The authentication process is running but
>mail object is not provided by freeIPA to Jira to inform users about
>new events / trackers or whatsoever. If a test object is displayed with
>ldapsearch mail attribute is available and set but is not useable by
>Jira.
>
>How is it possibilt to inherit mail accounts in Jira to be able to
>authenticate and use FreeIPA as IDM for Jira as well as for Liunx
>systems.
This sounds like you are using $SUFFIX (e.g. dc=example,dc=com) as your
basedn when
configuring Jira. If that's the case, then Jira gets results from both
cn=accounts,$SUFFIX and cn=compat,$SUFFIX if compat tree is
enabled. In the compat tree you have RFC2307 schema which doesn't
include mail attribute and slapi-nis always answers first over LDAP
queries that apply to cn=compat,$SUFFIX so you are ending up with two
LDAP entries returned for each individual IPA users, one from the compat
tree without mail attribute, another one is the original entry from
cn=users,cn=accounts,$SUFFIX.

Jira most likely expects a single entry response and if gets more, only
evaluates the first entry -- the one that is returned by the compat tree
and which doesn't have mail attribute.

You can solve this issue by bounding your query to cn=accounts,$SUFFIX
to only return primary IPA user/group entries.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list