[Freeipa-users] Re: [EXTERNAL] Re: Anyone using FreeIPA/IdM and MicroFocus Network Automation ?

[White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users]

We set roleContextDN to cn=nnmi-access

And it still barfs, but I found stuff in the access log file: (redacted a bit)

[06/Dec/2019:12:49:18.055641820 +0000] conn=2805 fd=110 slot=110 connection 
from NNMi-Server to IdM-Server
[06/Dec/2019:12:49:18.055983514 +0000] conn=2805 op=0 BIND dn="" method=128 
version=3
[06/Dec/2019:12:49:18.056068589 +0000] conn=2805 op=0 RESULT err=0 tag=97 
nentries=0 etime=0.0000264910 dn=""
[06/Dec/2019:12:49:18.060407586 +0000] conn=2805 op=1 SRCH 
base="cn=users,cn=compat,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG" scope=2 
filter="(uid=USER)" attrs="distinguishedName"
[06/Dec/2019:12:49:18.060803785 +0000] conn=2805 op=1 RESULT err=0 tag=101 
nentries=1 etime=0.0000453635
[06/Dec/2019:12:49:18.061436537 +0000] conn=2806 fd=125 slot=125 connection 
from NNMi-Server to IdM-Server
[06/Dec/2019:12:49:18.061707766 +0000] conn=2806 op=0 BIND dn="" method=128 
version=3
[06/Dec/2019:12:49:18.061784637 +0000] conn=2806 op=0 RESULT err=0 tag=97 
nentries=0 etime=0.0000187246 dn=""
[06/Dec/2019:12:49:18.066780892 +0000] conn=2806 op=1 SRCH 
base="cn=users,cn=compat,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG" scope=2 
filter="(uid=USER)" attrs="distinguishedName"
[06/Dec/2019:12:49:18.067161659 +0000] conn=2806 op=1 RESULT err=0 tag=101 
nentries=1 etime=0.0000428881
[06/Dec/2019:12:49:18.067812476 +0000] conn=2807 fd=128 slot=128 connection 
from NNMi-Server to IdM-Server
[06/Dec/2019:12:49:18.068098286 +0000] conn=2807 op=0 BIND dn="" method=128 
version=3
[06/Dec/2019:12:49:18.068165707 +0000] conn=2807 op=0 RESULT err=0 tag=97 
nentries=0 etime=0.0000161713 dn=""
[06/Dec/2019:12:49:18.071528890 +0000] conn=2807 op=1 SRCH 
base="cn=nnmi_access" scope=2 
filter="(member=uid=USER,cn=users,cn=compat,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG)"
 attrs="1.1"
[06/Dec/2019:12:49:18.071562192 +0000] conn=2807 op=1 RESULT err=32 tag=101 
nentries=0 etime=0.0000074662
[06/Dec/2019:12:49:18.072926385 +0000] conn=2807 op=2 SRCH 
base="cn=nnmi_access" scope=2 
filter="(groupmember=uid=USER,cn=users,cn=compat,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG)"
 attrs="1.1"
[06/Dec/2019:12:49:18.072953042 +0000] conn=2807 op=2 RESULT err=32 tag=101 
nentries=0 etime=0.0000067911
[06/Dec/2019:12:49:18.074036480 +0000] conn=2807 op=3 UNBIND
[06/Dec/2019:12:49:18.074048223 +0000] conn=2807 op=3 fd=128 closed - U1

This is what popped up in the access log this command was run on the NNMi 
server:

       nnmldap.ovpl -diagnose USER

The output from the command is:

=========================================================
=     Configuration
=========================================================
Diagnosing LDAP connectivity for user USER
Using LDAP configuration file <path to nms-auth-config.xml>

=========================================================
=     Found User Distinguished Name: 
"uid=USER,cn=users,cn=compat,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG"
=========================================================

!!!!!!!!!!!!!!!!!!!!!!!! NOTE !!!!!!!!!!!!!!!!!!!!!!!
!  No LDAP groups found for this User Distinguished Name.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


!!!!!!!!!!!!!!!!!!!!!!!! NOTE !!!!!!!!!!!!!!!!!!!!!!!
!  LDAP Appears to be Misconfigured. See above for more information.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Also, in nms-auth-config.xml,
<users>
Container element to include all user configuration details.
  <userSearch>
Container element to include the configuration information for searching users.
   <base>
   </base>
For example:
<base> SAMAccountName={0} </base>.
<base> uid={0} </base>
<baseContextDN>

</baseContextDN>
For Active Directory, specify the portion of the directory service domain that 
stores user records. For example:
For Active Directory
CN=user,OU=Users,OU=Accounts,DC=mycompany,DC=com
For other LDAP technologies
ou=People,o=example.com
  </userSearch>
</users>

base is set to "uid=(0)"
and baseContextDN is set to 
"cn=users,cn=compat,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG"

A simple ldapsearch for "uid=USER" returns a boatload of info with many 
"memberOf" lines including

memberOf: 
cn=nnmi_access,cn=groups,cn=accounts,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG

Does this shed any light on the dilemma ?
______________________________________________________________________________________________

Daniel E. White
daniel.e.wh...@nasa.gov<mailto:daniel.e.wh...@nasa.gov>
NICS Linux Engineer
NASA Goddard Space Flight Center
8800 Greenbelt Road
Building 14, Room E175
Greenbelt, MD 20771
Office: (301) 286-6919
Mobile: (240) 513-5290

From: Rob Crittenden <rcrit...@redhat.com>
Date: Thursday, December 5, 2019 at 14:31
To: Daniel White <daniel.e.wh...@nasa.gov>, FreeIPA users list 
<freeipa-users@lists.fedorahosted.org>
Subject: Re: [EXTERNAL] Re: [Freeipa-users] Anyone using FreeIPA/IdM and 
MicroFocus Network Automation ?

White, Daniel E. (GSFC-770.0)[NICS] wrote:
Thanks, Rob.

I will give it a try.

I made a posix group to use for application access - call it "nnmi_access"

I can ldapsearch using

(&(objectclass=groupofnames)(cn=nnmi_access)) member

and get back the members of the group like this:
member:  uid=foobar,cn=users,cn=accounts,dc=…

So then the roleBase is "member". but what should the roleContextDN be ?
Maybe   cn-nnmi-access,cn=groups,…,dc=…   ?

That's the way I read their docs as well. I guess it won't hurt trying.

rob


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org