I've been trying to get this to work for a few days now all to no avail...

I'm been running "FreeIPA, version: 4.3.1" for a few months now to authenticate 
a number of VMs that I grew tired of managing permissions on a individual basis 
and so far have been very pleased.
Now, I'm attempt to use the LDAP functionality to authenticate an external 
application against it.
I've been able to get the basic auth to work well, however, I can't seem to get 
the group permissions to work at all.

From my FreeIPA server's "/var/log/dirsrv/slapd/access.log":

Without group permissions (working):

[31/Jul/2017:16:21:07 -0600] conn=6138 fd=121 slot=121 SSL connection from 
9.0.49.10 to 9.0.49.11
[31/Jul/2017:16:21:07 -0600] conn=6138 TLS1.2 128-bit AES-GCM
[31/Jul/2017:16:21:07 -0600] conn=6138 op=0 BIND 
dn="uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com" method=128 version=3
[31/Jul/2017:16:21:07 -0600] conn=6138 op=0 RESULT err=0 tag=97 nentries=0 
etime=0 dn="uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com"
[31/Jul/2017:16:21:07 -0600] conn=6138 op=1 BIND dn="" method=128 version=3
[31/Jul/2017:16:21:07 -0600] conn=6138 op=1 RESULT err=0 tag=97 nentries=0 
etime=0 dn=""
[31/Jul/2017:16:21:07 -0600] conn=6138 op=2 SRCH 
base="uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com" scope=0 
filter="(objectClass=*)" attrs=ALL
[31/Jul/2017:16:21:07 -0600] conn=6138 op=2 RESULT err=0 tag=101 nentries=1 
etime=0
[31/Jul/2017:16:21:07 -0600] conn=6138 op=3 UNBIND
[31/Jul/2017:16:21:07 -0600] conn=6138 op=3 fd=121 closed - U1

Using group permissions (NOT working):

[31/Jul/2017:16:32:54 -0600] conn=6162 fd=126 slot=126 SSL connection from 
9.0.49.10 to 9.0.49.11
[31/Jul/2017:16:32:54 -0600] conn=6162 TLS1.2 128-bit AES-GCM
[31/Jul/2017:16:32:54 -0600] conn=6162 op=0 BIND 
dn="uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com" method=128 version=3
[31/Jul/2017:16:32:54 -0600] conn=6162 op=0 RESULT err=0 tag=97 nentries=0 
etime=0 dn="uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com"
[31/Jul/2017:16:32:54 -0600] conn=6162 op=1 BIND dn="" method=128 version=3
[31/Jul/2017:16:32:54 -0600] conn=6162 op=1 RESULT err=0 tag=97 nentries=0 
etime=0 dn=""
[31/Jul/2017:16:32:54 -0600] conn=6162 op=2 CMP 
dn="cn=netbox-users,cn=groups,cn=accounts,dc=coc,dc=ibm,dc=com" attr="member"
[31/Jul/2017:16:32:54 -0600] conn=6162 op=2 RESULT err=50 tag=111 nentries=0 
etime=0
[31/Jul/2017:16:32:54 -0600] conn=6162 op=3 UNBIND
[31/Jul/2017:16:32:54 -0600] conn=6162 op=3 fd=126 closed - U1

In the 2nd example above the "op=2 RESULT err=50" indicates that 
"LDAP_INSUFFICIENT_ACCESS" is what is being returned, but when I do the 
following "ldapsearch" command:

ldapsearch -D "uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com" -W 
uid=bl839s
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=coc,dc=ibm,dc=com> (default) with scope subtree
# filter: uid=bl839s
# requesting: ALL
#

# bl839s, users, accounts, coc.ibm.com
dn: uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com
krbLastSuccessfulAuth: 20170731223600Z
memberOf: cn=admins,cn=groups,cn=accounts,dc=coc,dc=ibm,dc=com
---SNIP---
memberOf: cn=netbox-users,cn=groups,cn=accounts,dc=coc,dc=ibm,dc=com
---SNIP---

 I can see that I AM a "member" of the the 
dn="cn=netbox-users,cn=groups,cn=accounts,dc=coc,dc=ibm,dc=com" group.
That being said, when I try to search for members of the group directly, I get 
a similar error:

root@ipa1:~# ldapsearch -D 
"cn=netbox-users,cn=groups,cn=accounts,dc=coc,dc=ibm,dc=com" -W uid=bl839s
Enter LDAP Password:
ldap_bind: Inappropriate authentication (48)


I would appreciate any help I can get in understanding what I don't have 
configured properly.

Thanks in advance,
Brady
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to