I've been trying to get this to work for a few days now all to no avail...

I'm been running "FreeIPA, version: 4.3.1" for a few months now to
authenticate a number of VMs that I grew tired of managing permissions on a
individual basis and so far have been very pleased.
Now, I'm attempting to use the LDAP functionality to authenticate an
external application against it.
I've been able to get the basic auth to work well, however, I can't seem to
get the group permissions to work at all.

>From my FreeIPA server's "/var/log/dirsrv/slapd/access.log":

Without group permissions (working):

[31/Jul/2017:16:21:07 -0600] conn=6138 fd=121 slot=121 SSL connection from to
[31/Jul/2017:16:21:07 -0600] conn=6138 TLS1.2 128-bit AES-GCM
[31/Jul/2017:16:21:07 -0600] conn=6138 op=0 BIND
dn="uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com" method=128
[31/Jul/2017:16:21:07 -0600] conn=6138 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn="uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com"
[31/Jul/2017:16:21:07 -0600] conn=6138 op=1 BIND dn="" method=128 version=3
[31/Jul/2017:16:21:07 -0600] conn=6138 op=1 RESULT err=0 tag=97 nentries=0
etime=0 dn=""
[31/Jul/2017:16:21:07 -0600] conn=6138 op=2 SRCH
base="uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com" scope=0
filter="(objectClass=*)" attrs=ALL
[31/Jul/2017:16:21:07 -0600] conn=6138 op=2 RESULT err=0 tag=101 nentries=1
[31/Jul/2017:16:21:07 -0600] conn=6138 op=3 UNBIND
[31/Jul/2017:16:21:07 -0600] conn=6138 op=3 fd=121 closed - U1

Using group permissions (NOT working):

[31/Jul/2017:16:32:54 -0600] conn=6162 fd=126 slot=126 SSL connection from to
[31/Jul/2017:16:32:54 -0600] conn=6162 TLS1.2 128-bit AES-GCM
[31/Jul/2017:16:32:54 -0600] conn=6162 op=0 BIND
dn="uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com" method=128
[31/Jul/2017:16:32:54 -0600] conn=6162 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn="uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com"
[31/Jul/2017:16:32:54 -0600] conn=6162 op=1 BIND dn="" method=128 version=3
[31/Jul/2017:16:32:54 -0600] conn=6162 op=1 RESULT err=0 tag=97 nentries=0
etime=0 dn=""
[31/Jul/2017:16:32:54 -0600] conn=6162 op=2 CMP
[31/Jul/2017:16:32:54 -0600] conn=6162 op=2 RESULT err=50 tag=111
nentries=0 etime=0
[31/Jul/2017:16:32:54 -0600] conn=6162 op=3 UNBIND
[31/Jul/2017:16:32:54 -0600] conn=6162 op=3 fd=126 closed - U1

In the 2nd example above, the "op=2 RESULT err=50" indicates that
"LDAP_INSUFFICIENT_ACCESS" is what is being returned, but when I do the
following "ldapsearch" command:

ldapsearch -D "uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com" -W
Enter LDAP Password:
# extended LDIF
# LDAPv3
# base <dc=coc,dc=ibm,dc=com> (default) with scope subtree
# filter: uid=bl839s
# requesting: ALL

# bl839s, users, accounts, coc.ibm.com
dn: uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com
krbLastSuccessfulAuth: 20170731223600Z
memberOf: cn=admins,cn=groups,cn=accounts,dc=coc,dc=ibm,dc=com
memberOf: cn=netbox-users,cn=groups,cn=accounts,dc=coc,dc=ibm,dc=com

I can see that I AM a "member" of the the
dn="cn=netbox-users,cn=groups,cn=accounts,dc=coc,dc=ibm,dc=com" group.
That being said, when I try to search for members of the group directly, I
get a similar access error:

root@ipa1:~# ldapsearch -D
"cn=netbox-users,cn=groups,cn=accounts,dc=coc,dc=ibm,dc=com" -W uid=bl839s
Enter LDAP Password:
ldap_bind: Inappropriate authentication (48)

I would appreciate any help I can get in understanding what I don't have
configured properly.

Thanks in advance,
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to