On 12 April 2013 23:59, Rich Megginson <rmegg...@redhat.com> wrote: > On 04/11/2013 11:58 PM, Peter Brown wrote: > > On 12 April 2013 15:51, Simon Williams > <simon.willi...@thehelpfulcat.com>wrote: > >> I use Atlassian products, but use Crowd to provide single signon. This >> means that Crowd is the only application that needs to authenticate against >> LDAP. I found that I had to tell Crowd that the server was 389 DS. I could >> not get it to work set to OpenLDAP. >> > > I had a look at crowd but it seemed like overkill when I could just > point everything at FreeIPA. > We are a small shop so the extra queries weren't going to affect much. > I tried telling my Atlaassian apps that freeipa was a 389 ds server but > it refused to work properly. > > > Not sure what that means, exactly. Check the 389 access logs to see what > operations Atlassian is performing against 389. >
I don't remember the exact error and they get used every day and they work as is so I will have to wait for an update to switch it over to see what errors it produces. > > > Slightly strange considering the ldap modules for all of them are the > same as the one used in crowd. > > >> Regards >> >> Simon >> On 11 Apr 2013 23:36, "Peter Brown" <rendhal...@gmail.com> wrote: >> >>> On 12 April 2013 05:04, John Dennis <jden...@redhat.com> wrote: >>> >>>> On 04/11/2013 02:47 PM, Bartek Moczulski wrote: >>>> >>>>> hi, >>>>> I've got a problem with using IPA as authentication source over LDAP. >>>>> Generally there are two approaches to LDAP authentication: >>>>> 1. bind using admin account and read passwords from user objects (but >>>>> in >>>>> ipa you cannot read passwords through ldap, right?) >>>>> 2. "bind to authenticate" - service tries to log in to ldap with user's >>>>> credentials. If login is successful authentication is also succesful - >>>>> this approach does not work because you cannot login to IPA ldap using >>>>> bare username, you need a full LDAP DN. >>>>> >>>> >>>> Most applications I know of that do "bind as user" to authenticate >>>> also permit you to specify a format string into which the user name is >>>> inserted (i.e. the format string is the dn, e.g. >>>> "uid=%u,cn=users,cn=accounts,dc=example,dc=com") -or- they do a search to >>>> discover the dn. If you application does not support either approach it's >>>> broken IMHO. >>>> >>> >>> I have used this method for Confluence, Jira, Stash, Icinga and Foreman. >>> I will be adding more applications in the future as well. >>> If the application doesn't support Kerberos it's the next best thing >>> in my opinion. >>> I have also use it to get email lists into dovecot and postfix. >>> >>> One caveat I found is you need to tell Atlassian applications that >>> FreeIPA is a plain OpenLDAP server to get it to work. >>> Apart from that it works "out of the box" as they say. >>> >>> >>> >>>> >>>> Reading passwords and/or password hashes is not supported for security >>>> reasons. >>>> >>>> Now, I've got a 3rd party application supporting both mentioned above >>>>> appoaches and the question is - how to make it work with ipa? >>>>> >>>>> thanks in advance, >>>>> Bartek. >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users@redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>>>> >>>> >>>> -- >>>> John Dennis <jden...@redhat.com> >>>> >>>> Looking to carve out IT costs? >>>> www.redhat.com/carveoutcosts/ >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users@redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> > > > _______________________________________________ > Freeipa-users mailing > listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users > > >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users