-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> > > It should be possible, yes - if you target web service/Red Mine to the 
> > > compat tree, as it was done for example in this integration:
> >
> > > http://www.freeipa.org/page/HowTo/vsphere5_integration
> > Tanks, your expression is very helpful for nested group memberships.
> 
> But maybe I expressed myself wrong. We need to logon with an user from Active 
> Directory (like henry) over an Trust with the IPA Domain. But in the IPA 
> domain there aren't a user named henry. Only a > > reference in the group 
> "ipaExternalMember=S-1-5-21-969530201-4059800132-1833743323-1235" to the user.
>
> The user can be looked up in the compat tree, e.g.
>
> ldapsearch -x -b 'cn=compat,dc=ipa,dc=domain' 'uid=henry@ad.domain'
>
> HTH
>
> bye,
> Sumit

Thanks, I get more and more information and amazed about FreeIPA and 
functionally.
I can successfully login in Redmine and Cloud with users from the trust domain. 

I have add additional attributes for the user accounts like "mail" etc. For the 
external trust user is this not possible. How I can get these additional 
information's for the trust users?

Best regards,
Henry


- -----Original Message-----
From: Sumit Bose [mailto:sb...@redhat.com] 
Sent: Mittwoch, 17. Juni 2015 10:36
To: Henry Hofmann
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Question for AD trust and Webservices

On Wed, Jun 17, 2015 at 08:21:22AM +0000, Henry Hofmann wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> > It should be possible, yes - if you target web service/Red Mine to the 
> > compat tree, as it was done for example in this integration:
> >
> > http://www.freeipa.org/page/HowTo/vsphere5_integration
> Tanks, your expression is very helpful for nested group memberships.
> 
> But maybe I expressed myself wrong. We need to logon with an user from Active 
> Directory (like henry) over an Trust with the IPA Domain. But in the IPA 
> domain there aren't a user named henry. Only a reference in the group 
> "ipaExternalMember=S-1-5-21-969530201-4059800132-1833743323-1235" to the user.

The user can be looked up in the compat tree, e.g.

ldapsearch -x -b 'cn=compat,dc=ipa,dc=domain' 'uid=henry@ad.domain'

HTH

bye,
Sumit

> 
> >
> > BTW, if Redmine is run by Apache, you can also leverage native 
> > Web<->SSSD<->FreeIPA/AD integration, following
> Our Redmine is running with an ruby webserver based on lock files and in the 
> front we used an nginx webproxy.
> 
> > http://www.freeipa.org/page/Web_App_Authentication
> >
> > Martin
> 
> 
> >> I understand this is for application which is using Kerberos.
> > No, it is not only for that.
> 
> >> I have some web applications like "redmine" and "owncloud" which 
> >> have a own user management. They needs to be configure to LDAP to 
> >> grant authorizations without Kerberos. And not all of them used 
> >> apache or tomcat as application server.
> > For OwnCloud use
> > https://apps.owncloud.com/content/show.php/Unix+user+backend?content
> > =148406 and read a backstory in 
> > https://github.com/owncloud/core/issues/10130
> >
> > For redmine use http://www.redmine.org/plugins/redmine_pam_auth. You don't 
> > need to include the user which runs redmine into shadow group with FreeIPA 
> > because user accounts are never in > /etc/shadow for FreeIPA so you don't 
> > need that access.
> >
> What you mean with " You don't need to include the user which runs Redmine 
> into shadow group with FreeIPA because user accounts are never in > 
> /etc/shadow for FreeIPA so you don't need that access ".
> Normally we create users and groups in FreeIPA, add the users to the groups. 
> Currently we sync the user and groups to Redmine and grant the permission 
> roles (Developer or Manager) to the groups. In this scenario I can manage 
> remotely the grants for user in every webserver that we used.
> 
> > Both these methods rely on PAM authentication which is powered by SSSD.
> >
> > --
> > / Alexander Bokovoy
> 
> Thanks for your help.
> Henry

-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.1.0 (Build 860)
Charset: us-ascii

wsBVAwUBVYFg+XEu+nQzo7NUAQgvZAgAwDtapg070WOR7qCozzEqjpBAxLyLATN9
0n5RD/TWa95BCUoX8FWMXEaywMrEuY7AGgRu9Rvr+vDZFWMzpEa6VP16G7TupOfe
nPVgcA6UqP/KqrfES+PqUwIMYxU0f0oTXEPY5u9dO54EN/1mGlijW9ddAj+e3SKq
VmFHUUim4dqjIR7lFg0ARMdo/O9x4l4Rlu6SrOzrTHFCi2zhEvU6JBaO2zktjQ0Z
+kyOXSpKLlX9sOm9oBGpWgrX66847gqmVsIrM7hsIFvWWJvYGosTOGdWAKq6yHZv
JBZysmv19rU/NMR9GU/4cybL9LeMOPcD4cR8cXKAf/AIbGiMZV9FlQ==
=rakA
-----END PGP SIGNATURE-----

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to