On Tue, Jan 28, 2014 at 02:29:07PM -0800, Steve Severance wrote: > Hi Everyone, > > I have deployed freeipa inside our production network. I want to be able to > access the web ui so I am attempting to add it to our nginx edge machine. I > can pass the requests upstream just fine but I am unable to login using a > username/password. I have enabled password authentication in the kerberos > section of the freeipa httpd config file. In the logs it looks like the > authentication succeeds and a ticket is issued. I assume that the cookie > that is returned (ipa_session) has the authentication information in it. > The subsequent call to get json data fails and I am prompted to login again. > > I found this thread ( > https://www.redhat.com/archives/freeipa-users/2013-August/msg00080.html) > which has instructions on adding ipa.mydomain.com to the keytab. When I > call ipa-getkeytab it hangs for a bit before returning: > ldap_sasl_bind(SIMPLE): > Can't contact LDAP server (-1) > > Digging into this if I run: ldapsearch -d 1 -v -H ldaps://ldap.mydomain.com > > I get: > ldap_sasl_interactive_bind_s: Unknown authentication method (-6) > additional info: SASL(-4): no mechanism available:
Does it work if you add the mechanism explicitly, e.g. 'ldapsearch -Y GSSAPI ....' ? bye, Sumit > > So we seem to have a SASL problem. If I run ldapsearch with -x simple > authentication works just fine. > > Do I need to do something special to enable SASL so I can get the keytab? > The ipa-getkeytab command does not seem to have an option to use simple > authentication. > > Thanks. > > Steve > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users