On 04/11/2013 11:58 PM, Peter Brown wrote:
On 12 April 2013 15:51, Simon Williams <simon.willi...@thehelpfulcat.com <mailto:simon.willi...@thehelpfulcat.com>> wrote:


    I use Atlassian products, but use Crowd to provide single signon.
    This means that Crowd is the only application that needs to
    authenticate against LDAP. I found that I had to tell Crowd that
    the server was 389 DS. I could not get it to work set to OpenLDAP.


I had a look at crowd but it seemed like overkill when I could just point everything at FreeIPA.
We are a small shop so the extra queries weren't going to affect much.
I tried telling my Atlaassian apps that freeipa was a 389 ds server but it refused to work properly.

Not sure what that means, exactly. Check the 389 access logs to see what operations Atlassian is performing against 389.

Slightly strange considering the ldap modules for all of them are the same as the one used in crowd.

    Regards

    Simon

    On 11 Apr 2013 23:36, "Peter Brown" <rendhal...@gmail.com
    <mailto:rendhal...@gmail.com>> wrote:

        On 12 April 2013 05:04, John Dennis <jden...@redhat.com
        <mailto:jden...@redhat.com>> wrote:

            On 04/11/2013 02:47 PM, Bartek Moczulski wrote:

                hi,
                I've got a problem with using IPA as authentication
                source over LDAP.
                Generally there are two approaches to LDAP authentication:
                1. bind using admin account and read passwords from
                user objects (but in
                ipa you cannot read passwords through ldap, right?)
                2. "bind to authenticate" - service tries to log in to
                ldap with user's
                credentials. If login is successful authentication is
                also succesful -
                this approach does not work because you cannot login
                to IPA ldap using
                bare username, you need a full LDAP DN.


            Most applications I know of that do "bind as user" to
            authenticate also permit you to specify a format string
            into which the user name is inserted (i.e. the format
            string is the dn, e.g.
            "uid=%u,cn=users,cn=accounts,dc=example,dc=com") -or- they
            do a search to discover the dn. If you application does
            not support either approach it's broken IMHO.


        I have used this method for Confluence, Jira, Stash, Icinga
        and Foreman.
        I will be adding more applications in the future as well.
        If the application doesn't support Kerberos it's the next best
        thing in my opinion.
        I have also use it to get email lists into dovecot and postfix.

        One caveat I found is you need to tell Atlassian applications
        that FreeIPA is a plain OpenLDAP server to get it to work.
        Apart from that it works "out of the box" as they say.



            Reading passwords and/or password hashes is not supported
            for security reasons.

                Now, I've got a 3rd party application supporting both
                mentioned above
                appoaches and the question is - how to make it work
                with ipa?

                thanks in advance,
                Bartek.


                _______________________________________________
                Freeipa-users mailing list
                Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
                https://www.redhat.com/mailman/listinfo/freeipa-users



-- John Dennis <jden...@redhat.com <mailto:jden...@redhat.com>>

            Looking to carve out IT costs?
            www.redhat.com/carveoutcosts/
            <http://www.redhat.com/carveoutcosts/>


            _______________________________________________
            Freeipa-users mailing list
            Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
            https://www.redhat.com/mailman/listinfo/freeipa-users



        _______________________________________________
        Freeipa-users mailing list
        Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
        https://www.redhat.com/mailman/listinfo/freeipa-users




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to