Hi, > you should use the cn=compat DNs as search bases > "groupbasedn": "cn=groups,cn=compat,dc=example,dc=com", > "userbasedn": "cn=users,cn=compat,dc=example,dc=com",
> > "searchattribute": "uid", > > "searchstring": "uid=USER-NAME,cn=users,cn=compat,dc=example,dc=com", > and here only > "searchstring": "USER-NAME", > should be sufficient if you use the fully-qualified name of the AD user when > logging in. Thank you for this. Unfortunately, I think I'm still missing something, as it doesn't appear to me that any ldap (389/tcp) traffic is leaving IdM and going to Active Directory, when a ldap request comes in from Mediawiki with Active Directory credentials. With the below configuration, if I run tcpdump watching port 389 on the idm.example.com node below, I only see traffic coming to and from the IdM server. I don't see any traffic to or from the IdM server to Active Directory. Furthermore, in /var/log/dirsrv/slapd-EXAMPLE-COM/access.log, I see: [17/Jan/2020:15:07:21.554948001 -0500] conn=3015 fd=137 slot=137 connection from 192.168.239.30 to 172.30.50.2 [17/Jan/2020:15:07:21.555400106 -0500] conn=3015 op=0 BIND dn="EXAMPLE\svc_wiki,ou=MediaWiki,ou=Applications,ou=Network Groups,dc=example,dc=com" authzid="(null)", invalid bind dn [17/Jan/2020:15:07:21.555446320 -0500] conn=3015 op=0 RESULT err=34 tag=97 nentries=0 etime=0.0000431413 I see similar log entries based on the user syntax below, i.e. EXAMPLE\svc_wiki, [email protected], etc...) My Mediawiki config is currently as follows. I've added the comments below for your information, the comments are not actually a part of the file: "server": "idm.example.com", # A single IdM Node "user": "cn=svc_wiki,ou=MediaWiki,ou=Applications,ou=Network Groups,dc=example,dc=com", #svc_wiki is a service account in AD. I have also tried setting cn=EXAMPLE\svc_wiki, as well as [email protected] "pass": "REDACTED", "port":"389", "enctype":"clear", "basedn": "dc=example,dc=com", "groupbasedn": "cn=groups,cn=compat,dc=example,dc=com", "userbasedn": "cn=users,cn=compat,dc=example,dc=com", "searchattribute": "sAMAccountName", # I have also tried uid "searchstring": "USER-NAME", # I have also tried EXAMPLE\\USER-NAME "usernameattribute": "sAMAccountName", # I have also tried uid "realnameattribute": "cn", "emailattribute": "mail" ----- David White Engineer II, Fiber Systems Engineering From: Sumit Bose <[email protected]> Date: Tuesday, January 14, 2020 at 11:18 AM To: FreeIPA users list <[email protected]> Cc: "White, David" <[email protected]> Subject: Re: [Freeipa-users] Re: Proxy LDAP queries to Active Directory On Tue, Jan 14, 2020 at 03:57:09PM +0000, White, David via FreeIPA-users wrote: > Hello, > Thanks for your response on this. > > > you can bind as AD user with the DN of the AD user object from the compat > > tree > > To confirm, are you suggesting that I simply create the service account > inside of Active Directory, but still have Mediawiki talk to the IdM server? > > Mediawiki takes a json file. > The following works perfectly fine when I use an IdM service account. In the > below config, `idm.example.com` is a specific node in the IdM cluster. > > { > "LDAP": { > "connection": { > "server": "idm.example.com", > "user": "uid=admin,cn=users,cn=compat,dc=example,dc=com", > "pass": "REDACTED", > "port":"389", > "enctype":"clear", > "basedn": "dc=example,dc=com", > "groupbasedn": "dc=example,dc=com", > "userbasedn": "dc=example,dc=com", Hi, you should use the cn=compat DNs as search bases "groupbasedn": "cn=groups,cn=compat,dc=example,dc=com", "userbasedn": "cn=users,cn=compat,dc=example,dc=com", > "searchattribute": "uid", > "searchstring": "uid=USER-NAME,cn=users,cn=compat,dc=example,dc=com", and here only "searchstring": "USER-NAME", should be sufficient if you use the fully-qualified name of the AD user when logging in. HTH bye, Sumit > "usernameattribute": "uid", > "realnameattribute": "cn", > "emailattribute": "mail" > } > } > } > > When I update this config to talk to AD, I use the same server address, but I > change the values as appropriate to match AD's requirements for > searchattribute, searchstring, usernameattribute, etc.... > > I'm still unable to get this to work, but I'm also still troubleshooting, and > not giving up. > As I continue to troubleshoot, I wanted to respond to this and make sure I'm > clear on what you're suggesting. > > Thanks again, > David > > From: Sumit Bose via FreeIPA-users <[email protected]> > Reply-To: FreeIPA users list <[email protected]> > Date: Monday, January 6, 2020 at 12:10 PM > To: "[email protected]" > <[email protected]> > Cc: Sumit Bose <[email protected]> > Subject: [Freeipa-users] Re: Proxy LDAP queries to Active Directory > > On Mon, Jan 06, 2020 at 05:01:05PM +0000, White, David via FreeIPA-users > wrote: > Is there a way to proxy client LDAP requests to the upstream Active > Directory that FreeIPA is configured to trust? > > I have AD, where users > live. > I have FreeIPA / RedHat IdM. & > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Mon, Jan 06, 2020 at 05:01:05PM +0000, White, David via FreeIPA-users > wrote: > > Is there a way to proxy client LDAP requests to the upstream Active > > Directory that FreeIPA is configured to trust? > > > > I have AD, where users live. > > I have FreeIPA / RedHat IdM. > > And I have servers that are registered to FreeIPA. > > > > But I also have applications (such as Mediawiki, or Red Hat Satellite to > > name a few) that support LDAP authentication. > > I want to be able to use my AD credentials to login to Mediawiki or > > Satellite, but have the application bind to FreeIPA, instead of binding it > > to AD. > > > > Is this possible? > > Hi, > > you can bind as AD user with the DN of the AD user object from the > compat tree, see e.g. > https://www.freeipa.org/page/V3/Serving_legacy_clients_for_trusts for > details. > > HTH > > bye, > Sumit > > > > > I currently: > > Have successfully bound Mediawiki to FreeIPA, and I can login to Mediawiki > > using an account that is built locally instead of FreeIPA, but I cannot > > login to Mediawiki using my AD credentials. > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
