On Tue, Jan 14, 2020 at 03:57:09PM +0000, White, David via FreeIPA-users wrote:
> Hello,
> Thanks for your response on this.
>
> > you can bind as AD user with the DN of the AD user object from the compat
> > tree
>
> To confirm, are you suggesting that I simply create the service account
> inside of Active Directory, but still have Mediawiki talk to the IdM server?
>
> Mediawiki takes a json file.
> The following works perfectly fine when I use an IdM service account. In the
> below config, `idm.example.com` is a specific node in the IdM cluster.
>
> {
> "LDAP": {
> "connection": {
> "server": "idm.example.com",
> "user":
> "uid=admin,cn=users,cn=compat,dc=example,dc=com",
> "pass": "REDACTED",
> "port":"389",
> "enctype":"clear",
> "basedn": "dc=example,dc=com",
> "groupbasedn": "dc=example,dc=com",
> "userbasedn": "dc=example,dc=com",
Hi,
you should use the cn=compat DNs as search bases
"groupbasedn": "cn=groups,cn=compat,dc=example,dc=com",
"userbasedn": "cn=users,cn=compat,dc=example,dc=com",
> "searchattribute": "uid",
> "searchstring":
> "uid=USER-NAME,cn=users,cn=compat,dc=example,dc=com",
and here only
"searchstring": "USER-NAME",
should be sufficient if you use the fully-qualified name of the AD user
when logging in.
HTH
bye,
Sumit
> "usernameattribute": "uid",
> "realnameattribute": "cn",
> "emailattribute": "mail"
> }
> }
> }
>
> When I update this config to talk to AD, I use the same server address, but I
> change the values as appropriate to match AD's requirements for
> searchattribute, searchstring, usernameattribute, etc....
>
> I'm still unable to get this to work, but I'm also still troubleshooting, and
> not giving up.
> As I continue to troubleshoot, I wanted to respond to this and make sure I'm
> clear on what you're suggesting.
>
> Thanks again,
> David
>
> From: Sumit Bose via FreeIPA-users <[email protected]>
> Reply-To: FreeIPA users list <[email protected]>
> Date: Monday, January 6, 2020 at 12:10 PM
> To: "[email protected]"
> <[email protected]>
> Cc: Sumit Bose <[email protected]>
> Subject: [Freeipa-users] Re: Proxy LDAP queries to Active Directory
>
> On Mon, Jan 06, 2020 at 05:01:05PM +0000, White, David via FreeIPA-users
> wrote: > Is there a way to proxy client LDAP requests to the upstream Active
> Directory that FreeIPA is configured to trust? > > I have AD, where users
> live. > I have FreeIPA / RedHat IdM. &
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Mon, Jan 06, 2020 at 05:01:05PM +0000, White, David via FreeIPA-users
> wrote:
> > Is there a way to proxy client LDAP requests to the upstream Active
> > Directory that FreeIPA is configured to trust?
> >
> > I have AD, where users live.
> > I have FreeIPA / RedHat IdM.
> > And I have servers that are registered to FreeIPA.
> >
> > But I also have applications (such as Mediawiki, or Red Hat Satellite to
> > name a few) that support LDAP authentication.
> > I want to be able to use my AD credentials to login to Mediawiki or
> > Satellite, but have the application bind to FreeIPA, instead of binding it
> > to AD.
> >
> > Is this possible?
>
> Hi,
>
> you can bind as AD user with the DN of the AD user object from the
> compat tree, see e.g.
> https://www.freeipa.org/page/V3/Serving_legacy_clients_for_trusts for
> details.
>
> HTH
>
> bye,
> Sumit
>
> >
> > I currently:
> > Have successfully bound Mediawiki to FreeIPA, and I can login to Mediawiki
> > using an account that is built locally instead of FreeIPA, but I cannot
> > login to Mediawiki using my AD credentials.
> >
>
>
> > _______________________________________________
> > FreeIPA-users mailing list -- [email protected]
> > To unsubscribe send an email to [email protected]
> > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> > https://lists.fedorahosted.org/archives/list/[email protected]
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
>
>
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
