Hi Dmitri, I am using Free Ipa 3.1.5 on Fedora 18. The design basically looks like the following. All of this is hosted at AWS in our VPC. The nginx box is on a web addressable subnet while the FreeIPA box is on a private subnet that is not internet accessible. My goal is to be able to use the web UI from our office without having to invest in a hardware VPN connection. So nginx basically just acts as a reverse proxy and created the connection on the users behalf to the ipa server. I can login into other machines I have both in our private data center and in AWS using ipa and that works great as far as I can tell.
Any more information I can supply? Thanks. Steve On Wed, Jan 29, 2014 at 4:18 AM, Dmitri Pal <[email protected]> wrote: > On 01/28/2014 05:29 PM, Steve Severance wrote: > > Hi Everyone, > > I have deployed freeipa inside our production network. I want to be able > to access the web ui so I am attempting to add it to our nginx edge > machine. I can pass the requests upstream just fine but I am unable to > login using a username/password. I have enabled password authentication in > the kerberos section of the freeipa httpd config file. In the logs it looks > like the authentication succeeds and a ticket is issued. I assume that the > cookie that is returned (ipa_session) has the authentication information in > it. The subsequent call to get json data fails and I am prompted to login > again. > > I found this thread ( > https://www.redhat.com/archives/freeipa-users/2013-August/msg00080.html) > which has instructions on adding ipa.mydomain.com to the keytab. When I > call ipa-getkeytab it hangs for a bit before returning: > ldap_sasl_bind(SIMPLE): > Can't contact LDAP server (-1) > > Digging into this if I run: ldapsearch -d 1 -v -H ldaps:// > ldap.mydomain.com > > I get: > ldap_sasl_interactive_bind_s: Unknown authentication method (-6) > additional info: SASL(-4): no mechanism available: > > So we seem to have a SASL problem. If I run ldapsearch with -x simple > authentication works just fine. > > Do I need to do something special to enable SASL so I can get the > keytab? The ipa-getkeytab command does not seem to have an option to use > simple authentication. > > Thanks. > > Steve > > > > To be able to help a small diagram would be really helpful. > The error above indicates that there is an entity that tries to connect to > the LDAP using Kerberos GSSAPI and can't because it either does not have > kerberos identity or keys or it is misconfigured and can't get to them. The > diagram of request flow would help to troubleshoot the issue. > > What version of FreeIPA you are using? What platform? > > _______________________________________________ > Freeipa-users mailing > [email protected]https://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs?www.redhat.com/carveoutcosts/ > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
