Sorry, I didn’t include much in the way of specifics did I?! Before yum
updated my IPA server from 2.2 to 3, FreeIPA provided (or appeared to provide)
an instance of an LDAP server that was accessible locally on port 389. The web
applications I am concerned with is Atlassian Crowd, which I use to
authenticate to Jira, Confluence, Bamboo and Fisheye on the local network and
also Google Apps. Crowd is on the same server as FreeIPA so as to allow me to
keep port 389 behind the server’s firewall. Crowd was configured to treat the
LDAP server as a read only 389 DS server as experimentation showed that that
worked, but I did not install or configure any LDAP software myself. The LDAP
server had been installed as part of the FreeIPA installation.
Crowd is failing since the update as there is no server listening on port 389.
It gets a ‘connection refused’ message. Netstat confirms that there is no
server listening on port 389 and also shows that there is nothing listening on
port 636. Prior to the upgrade, FreeIPA had been running with default
settings, I had done nothing to reduce security.
From: Dmitri Pal
Sent: Sunday, 7 April 2013 20:20
On 04/07/2013 05:44 AM, Simon Williams wrote:
I ran a yum update on my CentOS 6 server that runs FreeIPA a couple of days ago
and it upgraded FreeIPA to version 3. I use a couple of web applications that
cannot use Kerberos, but can use LDAP to authenticate. These stopped working.
When I investigated the issue, I discovered that the LDAP server wasn't there
any more. Google searches have proved fruitless and I can't find any
documentation for v3. Can anyone tell me how to get my LDAP server back?
Can you please clarify:
Did you have an earlier version of the apps that used IPA via LDAP or you had a
different LDAP instance and FreeIPA now took over the whole machine and you do
not have access to those instances?
I assume you had 389 DS, right? Or OpenLDAP?
What is the general goal? Do you want to have the apps be able to access IPA
data via LDAP or you want to be able to use different LDAP databases on the
If the apps you mention used to work against IPA and now they do not I would
suggest checking the logs from those applications to see what is failing. It
might be that they have been using an insecure way to authenticate and the
upgraded bits enforce a higher security standard. If this is the case you
either need to lower the authentication requirements on the server (not
recommended) or provide a more secure way to authenticate from those apps
Freeipa-users mailing list
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list