Okay, Thank you Alex, I will give it a shot.
Best Maciej On Thu, Feb 22, 2018 at 5:07 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On to, 22 helmi 2018, Maciej Drobniuch via FreeIPA-users wrote: > >> So, It looks like tokens are working on LDAP too. >> >> Is there any way to disable 2FA on LDAP? >> > 2FA policy applies to both Kerberos and LDAP authentication. If you > enable password-only logon in addition to 2FA, users will be able to use > both password-only and 2FA-enhanced logons. > > There is no way to differ in that policy between Kerberos and LDAP auth. > > I suggest you to connect gitlab via OpenID Connect -- using either > Ipsilon or Keycloak Identity Providers. Both have integration with > FreeIPA and will supply required details to OmniAuth connector (use > https://github.com/m0n9oose/omniauth_openid_connect). In both cases SSSD > would be used to perform actual authentication and data retrieval behind > the scenes, so HBAC rules can be used to control who can login and both > Kerberos and direct password/2FA would be accepted. > > > On Thu, Feb 22, 2018 at 3:52 PM, Maciej Drobniuch <m...@collective-sense.com >> > >> wrote: >> >> Hey All, >>> >>> I want to authenticate with an external app to ldap ipa. >>> >>> So I've created a user for the bind: >>> dn: uid=sysaccount,cn=sysaccounts,cn=etc,dc=example,dc=com >>> changetype: add >>> objectclass: account >>> objectclass: simplesecurityobject >>> uid: system >>> userPassword: somepass123 >>> passwordExpirationTime: 20380119031407Z >>> nsIdleTimeout: 0 >>> >>> The external app runs the LDAP check successfully and can see the users >>> that belong to the group that's allowed to login. >>> >>> Problem: >>> I can not login with the default "admin" account but I can not login with >>> any other account that's in the dn into the app. >>> Response is: "Invalid credentials" >>> >>> base: 'cn=users,cn=accounts,dc=example,dc=com' >>> user_filter: '(memberOf=cn=gitlab-users,cn= >>> groups,cn=accounts,dc=example, >>> dc=com)' >>> >>> Any ideas? >>> >>> Thank You! >>> >>> -- >>> Best regards >>> >>> Maciej Drobniuch >>> Network Security Engineer >>> Collective-Sense,LLC >>> >>> >> >> >> -- >> Best regards >> >> Maciej Drobniuch >> Network Security Engineer >> Collective-Sense,LLC >> > > _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedo >> rahosted.org >> > > > -- > / Alexander Bokovoy > -- Best regards Maciej Drobniuch Network Security Engineer Collective-Sense,LLC
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org