On Wed, Jun 17, 2015 at 08:21:22AM +0000, Henry Hofmann wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> > It should be possible, yes - if you target web service/Red Mine to the
> > compat tree, as it was done for example in this integration:
> > http://www.freeipa.org/page/HowTo/vsphere5_integration
> Tanks, your expression is very helpful for nested group memberships.
> But maybe I expressed myself wrong. We need to logon with an user from Active
> Directory (like henry) over an Trust with the IPA Domain. But in the IPA
> domain there aren't a user named henry. Only a reference in the group
> "ipaExternalMember=S-1-5-21-969530201-4059800132-1833743323-1235" to the user.
The user can be looked up in the compat tree, e.g.
ldapsearch -x -b 'cn=compat,dc=ipa,dc=domain' 'email@example.com'
> > BTW, if Redmine is run by Apache, you can also leverage native
> > Web<->SSSD<->FreeIPA/AD integration, following
> Our Redmine is running with an ruby webserver based on lock files and in the
> front we used an nginx webproxy.
> > http://www.freeipa.org/page/Web_App_Authentication
> > Martin
> >> I understand this is for application which is using Kerberos.
> > No, it is not only for that.
> >> I have some web applications like "redmine" and "owncloud" which have a
> >> own user management. They needs to be configure to LDAP to grant
> >> authorizations without Kerberos. And not all of them used apache or
> >> tomcat as application server.
> > For OwnCloud use
> > https://apps.owncloud.com/content/show.php/Unix+user+backend?content=148406
> > and read a backstory in https://github.com/owncloud/core/issues/10130
> > For redmine use http://www.redmine.org/plugins/redmine_pam_auth. You don't
> > need to include the user which runs redmine into shadow group with FreeIPA
> > because user accounts are never in > /etc/shadow for FreeIPA so you don't
> > need that access.
> What you mean with " You don't need to include the user which runs Redmine
> into shadow group with FreeIPA because user accounts are never in >
> /etc/shadow for FreeIPA so you don't need that access ".
> Normally we create users and groups in FreeIPA, add the users to the groups.
> Currently we sync the user and groups to Redmine and grant the permission
> roles (Developer or Manager) to the groups. In this scenario I can manage
> remotely the grants for user in every webserver that we used.
> > Both these methods rely on PAM authentication which is powered by SSSD.
> > --
> > / Alexander Bokovoy
> Thanks for your help.
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Universal 3.1.0 (Build 860)
> Charset: us-ascii
> -----END PGP SIGNATURE-----
> Manage your subscription for the Freeipa-users mailing list:
> Go to http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project