On Thu, May 16, 2013 at 6:48 PM, William Muriithi <
> Got a question, I know FreeIPA does not allow anonymous binding so if one
> need to create an account to query for such information. I did this during
> the sudo setup.
> unless you have changed it yourself (or stuff has changed in the standard
installation since v2.2 when I installed my ipa servers) anonymous binding
is allowed. But you cannot query group membership of the users IIRC
> I am trying to get git to use FreeIPA today and I trying to figure where
> the bind user should be created under. This got to be a system account, so
> I am not sure it should go under the normal user dn below. And even if I
> created it as normal user, I am not sure it would have permission to
> transverse the tree looking for the group user details
> dn: uid=william,cn=users,cn= compat,dc=example,dc=com
system accounts like sudo are in cn=sysaccounts,cn=etc,dc=domain,dc=tld ;
but you can create them wherever you like I think. If you create a normal
ipa account with the ipa tools, you can always modify the
krbPasswordExpiration attribute manually and have it expire in the year
3000 so it does not get disabled until then ;-)
> Here is the script that interacts with FreeIPA, whats the best way to get
> the script working with FreeIPA?
god, what a bad Perl script you have found :-) Shame, this stuff is what
gives perl a bad rep.
Without rewriting it (would take me 10 minutes), to conform to modern perl
best practices, you could get going by:
# Bind to LDAP with proper user
$ldapret = $ldap->bind( 'cn=administrator,o=company',
password => '5ecretpa55w0rd' );
modify the bind with your user you just created.
# Execute the actual LDAP search to get groups for the given UID
$ldapret = $ldap->search( base => 'ou=users,ou=department,o=company',
scope => 'subtree',
filter => $filter );
modify with base => 'cn=groups,cn=accounts,dc=domain,dc=nx',
that should do it.
In a while after the kids are put to bed I can test it.
Freeipa-users mailing list