Hi ivars 

Many thanks that's just what I was looking for.

Sorry about the iPad it should be ipa but it seems I am a victim of autocorrect 
🤣

Regards
Per 



Sent from my Commodore 64

> On 8 Aug 2017, at 18:07, Ivars Strazdiņš via FreeIPA-users 
> <freeipa-users@lists.fedorahosted.org> wrote:
> 
> Hi Per,
> could you define “working configuration” requirements and what’s iPad 
> specific?
> Anyway, below is my setup with Centos Apache to authenticate against IPA via 
> LDAP using either username (uid) or e-mail. No Kerberos or GSSAPI used, just 
> “pure” LDAP.
> Please note, IPA group “shareusers” membership is required. IPA host is 
> im.example.com
> With kind regards,
> Ivars
> 
> File /etc/httpd/access/ldap.conf 
> 
> AuthName               "File service login"
> # AuthBasicProviders are defined in ../conf.d/00-ldap.conf
> AuthBasicProvider      ldap-uid ldap-mail
> AuthType               Basic
> 
> # Even if AuthLDAPURL is defined in AuthnProviderAlias in 
> ../conf.d/00-ldap.conf and processed earlier
> # these directives are mandatory to authorize after authentication
> AuthLDAPURL            
> ldaps://im.example.com/cn=users,cn=accounts,dc=example,dc=com?mail?sub?(memberOf=cn=shareusers,cn=groups,cn=accounts,dc=example,dc=com)
> AuthLDAPInitialBindAsUser On
> AuthLDAPSearchAsUser    On
> AuthLDAPCompareAsUser   On
> 
> 
> File /etc/httpd/conf.d/00-ldap.conf
> 
> LDAPTrustedGlobalCert CA_BASE64 /etc/ipa/ca.crt
> 
> # AuthnProviderAlias must be defined here, it cannot be in VirtualHost 
> # because ../access/ldap.conf is VirtualHost level
> 
> # ldap-mail is tried last (after ldap-uid)
> <AuthnProviderAlias ldap ldap-mail>
>         AuthLDAPURL            
> ldaps://im.example.com/cn=users,cn=accounts,dc=example,dc=com?mail?sub?(memberOf=cn=shareusers,cn=groups,cn=accounts,dc=example,dc=com)
>       # this one (last) must be authoritative
>         # AuthLDAPBindAuthoritative off
>         AuthLDAPInitialBindAsUser On
>         AuthLDAPSearchAsUser    On
>         AuthLDAPCompareAsUser   On
>         AuthLDAPInitialBindPattern (.+)\@(.+) 
> uid=$1,cn=users,cn=accounts,dc=example,dc=com
> </AuthnProviderAlias>
> 
> # ldap-uid is tried first
> <AuthnProviderAlias ldap ldap-uid>
>         AuthLDAPURL             
> ldaps://im.example.com/cn=users,cn=accounts,dc=example,dc=com?uid?sub?(memberOf=cn=shareusers,cn=groups,cn=accounts,dc=example,dc=com)
>       # first one is NOT authoritative
>         AuthLDAPBindAuthoritative off
>         AuthLDAPInitialBindAsUser On
>         AuthLDAPSearchAsUser    On
>         AuthLDAPCompareAsUser   On
>         AuthLDAPInitialBindPattern (.+) 
> uid=$1,cn=users,cn=accounts,dc=example,dc=com
> </AuthnProviderAlias>
> 
> 
>> On 2017. gada 8. aug., at 15:11, Per Qvindesland via FreeIPA-users 
>> <freeipa-users@lists.fedorahosted.org> wrote:
>> 
>> Hi All
>> 
>> Does anyone have any working mod_ldap configuration for Centos 7 with apache 
>> 2.4.6 with iPad to share?
>> 
>> Regards
>> Per
>> 
>> 
>> 
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to