On Wed, Jun 17, 2015 at 08:21:22AM +0000, Henry Hofmann wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > > It should be possible, yes - if you target web service/Red Mine to the > > compat tree, as it was done for example in this integration: > > > > http://www.freeipa.org/page/HowTo/vsphere5_integration > Tanks, your expression is very helpful for nested group memberships. > > But maybe I expressed myself wrong. We need to logon with an user from Active > Directory (like henry) over an Trust with the IPA Domain. But in the IPA > domain there aren't a user named henry. Only a reference in the group > "ipaExternalMember=S-1-5-21-969530201-4059800132-1833743323-1235" to the user.
The user can be looked up in the compat tree, e.g. ldapsearch -x -b 'cn=compat,dc=ipa,dc=domain' 'uid=henry@ad.domain' HTH bye, Sumit > > > > > BTW, if Redmine is run by Apache, you can also leverage native > > Web<->SSSD<->FreeIPA/AD integration, following > Our Redmine is running with an ruby webserver based on lock files and in the > front we used an nginx webproxy. > > > http://www.freeipa.org/page/Web_App_Authentication > > > > Martin > > > >> I understand this is for application which is using Kerberos. > > No, it is not only for that. > > >> I have some web applications like "redmine" and "owncloud" which have a > >> own user management. They needs to be configure to LDAP to grant > >> authorizations without Kerberos. And not all of them used apache or > >> tomcat as application server. > > For OwnCloud use > > https://apps.owncloud.com/content/show.php/Unix+user+backend?content=148406 > > and read a backstory in https://github.com/owncloud/core/issues/10130 > > > > For redmine use http://www.redmine.org/plugins/redmine_pam_auth. You don't > > need to include the user which runs redmine into shadow group with FreeIPA > > because user accounts are never in > /etc/shadow for FreeIPA so you don't > > need that access. > > > What you mean with " You don't need to include the user which runs Redmine > into shadow group with FreeIPA because user accounts are never in > > /etc/shadow for FreeIPA so you don't need that access ". > Normally we create users and groups in FreeIPA, add the users to the groups. > Currently we sync the user and groups to Redmine and grant the permission > roles (Developer or Manager) to the groups. In this scenario I can manage > remotely the grants for user in every webserver that we used. > > > Both these methods rely on PAM authentication which is powered by SSSD. > > > > -- > > / Alexander Bokovoy > > Thanks for your help. > Henry > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Universal 3.1.0 (Build 860) > Charset: us-ascii > > wsBVAwUBVYEuBHEu+nQzo7NUAQhF5ggAhRRwwTW2XkV4wqe3Q4IAbLFvux8KrVpC > MZ5qovGeyY5N9Fk/MunfC0eg2J2t7KGU9bdJEuWNIZtxH8tLZudRIQL7DMrUs0hF > yNoCIfa0PgMNhS7OFGMtlpF76YBsA50xP9Qhd8hXOsGMnqaaaZ54psUCO4fOSiLB > RGFXaFIs6u1odq93DRImVGvy2mBN1MPC+cG1fQHZN089OZ7aFQunNTIWeGptmTX8 > CjspbonsB1HZzN7vRDLs2RKGLm+7f8gv4MZHN1gBFLzTjAAZ1ke2+vOM+e+QmHXL > GHCx9yPr3C9GvB89cN5tssD/F32Pixa0UzENYAk7CHqQE7cKRpNAOw== > =jfYn > -----END PGP SIGNATURE----- > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project