Okay, Thank you Alex,
I will give it a shot.
On Thu, Feb 22, 2018 at 5:07 PM, Alexander Bokovoy <aboko...@redhat.com>
> On to, 22 helmi 2018, Maciej Drobniuch via FreeIPA-users wrote:
>> So, It looks like tokens are working on LDAP too.
>> Is there any way to disable 2FA on LDAP?
> 2FA policy applies to both Kerberos and LDAP authentication. If you
> enable password-only logon in addition to 2FA, users will be able to use
> both password-only and 2FA-enhanced logons.
> There is no way to differ in that policy between Kerberos and LDAP auth.
> I suggest you to connect gitlab via OpenID Connect -- using either
> Ipsilon or Keycloak Identity Providers. Both have integration with
> FreeIPA and will supply required details to OmniAuth connector (use
> https://github.com/m0n9oose/omniauth_openid_connect). In both cases SSSD
> would be used to perform actual authentication and data retrieval behind
> the scenes, so HBAC rules can be used to control who can login and both
> Kerberos and direct password/2FA would be accepted.
> On Thu, Feb 22, 2018 at 3:52 PM, Maciej Drobniuch <m...@collective-sense.com
>> Hey All,
>>> I want to authenticate with an external app to ldap ipa.
>>> So I've created a user for the bind:
>>> dn: uid=sysaccount,cn=sysaccounts,cn=etc,dc=example,dc=com
>>> changetype: add
>>> objectclass: account
>>> objectclass: simplesecurityobject
>>> uid: system
>>> userPassword: somepass123
>>> passwordExpirationTime: 20380119031407Z
>>> nsIdleTimeout: 0
>>> The external app runs the LDAP check successfully and can see the users
>>> that belong to the group that's allowed to login.
>>> I can not login with the default "admin" account but I can not login with
>>> any other account that's in the dn into the app.
>>> Response is: "Invalid credentials"
>>> base: 'cn=users,cn=accounts,dc=example,dc=com'
>>> user_filter: '(memberOf=cn=gitlab-users,cn=
>>> Any ideas?
>>> Thank You!
>>> Best regards
>>> Maciej Drobniuch
>>> Network Security Engineer
>> Best regards
>> Maciej Drobniuch
>> Network Security Engineer
>> FreeIPA-users mailing list -- firstname.lastname@example.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedo
> / Alexander Bokovoy
Network Security Engineer
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org