On 01/28/2014 05:29 PM, Steve Severance wrote:
> Hi Everyone,
> I have deployed freeipa inside our production network. I want to be
> able to access the web ui so I am attempting to add it to our nginx
> edge machine. I can pass the requests upstream just fine but I am
> unable to login using a username/password. I have enabled password
> authentication in the kerberos section of the freeipa httpd config
> file. In the logs it looks like the authentication succeeds and a
> ticket is issued. I assume that the cookie that is returned
> (ipa_session) has the authentication information in it. The subsequent
> call to get json data fails and I am prompted to login again.
> I found this thread
> which has instructions on adding ipa.mydomain.com
> <http://ipa.mydomain.com> to the keytab. When I call ipa-getkeytab it
> hangs for a bit before returning: ldap_sasl_bind(SIMPLE): Can't
> contact LDAP server (-1)
> Digging into this if I run: ldapsearch -d 1 -v -H
> ldaps://ldap.mydomain.com <http://ldap.mydomain.com>
> I get:
> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
> additional info: SASL(-4): no mechanism available:
> So we seem to have a SASL problem. If I run ldapsearch with -x simple
> authentication works just fine.
> Do I need to do something special to enable SASL so I can get the
> keytab? The ipa-getkeytab command does not seem to have an option to
> use simple authentication.
To be able to help a small diagram would be really helpful.
The error above indicates that there is an entity that tries to connect
to the LDAP using Kerberos GSSAPI and can't because it either does not
have kerberos identity or keys or it is misconfigured and can't get to
them. The diagram of request flow would help to troubleshoot the issue.
What version of FreeIPA you are using? What platform?
> Freeipa-users mailing list
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list