On Срд, 13 ліс 2024, Kapetanakis Giannis via FreeIPA-users wrote:
Hi,
We're looking into migrating our current LDAP setup (389) to a FreeIPA setup.
Reading documentation and searching online cannot answer the following question.
Is FreeIPA able to authenticate normal LDAP clients without any
Kerberos, GSSAPI involved on the client side?
Yes. It is a normal LDAP server in that sense, that's why there is no
particular additional documentation about it.
Most of my LDAP clients support only LDAP authentication over SSL/TLS.
Will FreeIPA's LDAP server delegate authentication to Kerberos on
behalf of the client or does it need the userPassword attribute stored
in it's LDAP server?
For user account objects we sync userPassword attribute with Kerberos
keys. This means if you change password over LDAP or over Kerberos, the
end result is that user account can be authenticated either way using
the same password.
LDAP authentication for user account does only look into userPassword
attribute for LDAP SIMPLE bind. You need to perform it over secured
connection, though, e.g. LDAP+startTLS or LDAPS.
Which SASL Mechanism is being used in this case?
You don't need to use SASL for this, it is normal LDAP simple bind over
secure connection.
E.g.
# ldapwhoami -H ldap://`hostname -f` -ZZ -W -D
uid=admin,cn=users,cn=accounts,dc=ipa1,dc=test
Enter LDAP Password:
dn: uid=admin,cn=users,cn=accounts,dc=ipa1,dc=test
# tail -1 /var/log/dirsrv/slapd-IPA1-TEST/security
{ "date": "[13\/Nov\/2024:13:45:30.373894622 +0000] ", "utc_time": "1731505530.373894622", "event": "BIND_SUCCESS", "dn": "uid=admin,cn=users,cn=accounts,dc=ipa1,dc=test", "bind_method":
"SIMPLE", "root_dn": false, "client_ip": "10.X.X.X", "server_ip": "10.X.X.X", "ldap_version": 3, "conn_id": 123, "op_id": 2, "msg": "" }
You can obviously use SASL methods if they apply to the user object in
question. E.g. SASL GSSAPI or SASL SPNEGO can be used with Kerberos
mechanism. Or SASL EXTERNAL can be used for TLS client authentication
with a client certificate, if configured. SASL PLAIN and LOGIN are
available as well.
If the userPassword in needed how does it stay in sync with the user's
kerberos credentials? Is the sync both ways (LDAP-Kerberos)?
Yes for both.
Is there documentation about these specific tasks?
You can use 389-ds documentation (e.g. Red Hat Directory Server docs)
if your LDAP clients are not aware of FreeIPA specifics.
I gave a talk in 2017 about all our specific plugins:
https://talks.vda.li/talks/2017/freeIPA/tour-of-ipa-389-ds-plugins/#/
Again, if you are not integrating with FreeIPA deeply, all you need to
know are the following details:
- LDAP DIT structure
- which authentication mechanisms you can use
That's basically it. For LDAP DIT structure you just need to remember
that IPA uses flat subtrees, one per object type, and the list of
subtrees can be obtained by IPA command line:
# kinit admin
Password for [email protected]:
# ipa env |grep container_
...
These are subtrees under the base DN, e.g. dc=ipa1,dc=test.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
