On 04/11/2013 02:47 PM, Bartek Moczulski wrote:
hi,
I've got a problem with using IPA as authentication source over LDAP.
Generally there are two approaches to LDAP authentication:
1. bind using admin account and read passwords from user objects (but in
ipa you cannot read passwords through ldap, right?)
2. "bind to authenticate" - service tries to log in to ldap with user's
credentials. If login is successful authentication is also succesful -
this approach does not work because you cannot login to IPA ldap using
bare username, you need a full LDAP DN.


Most applications I know of that do "bind as user" to authenticate also permit you to specify a format string into which the user name is inserted (i.e. the format string is the dn, e.g. "uid=%u,cn=users,cn=accounts,dc=example,dc=com") -or- they do a search to discover the dn. If you application does not support either approach it's broken IMHO.

Reading passwords and/or password hashes is not supported for security reasons.

Now, I've got a 3rd party application supporting both mentioned above
appoaches and the question is - how to make it work with ipa?

thanks in advance,
Bartek.


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
John Dennis <jden...@redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to