Thanks Alexander, that got my past that error. I created the sysaccount and I can bind successfully, but in accordance with the documentation, it doesn't have rights to modify other users:
Unexpected error while testing ldap test user LDAP ⇨ LDAP Directories ⇨ default ⇨ LDAP Test User, error: javax.naming.NoPermissionException: [LDAP: error code 50 - Insufficient 'write' privilege to the 'userPassword' attribute of entry 'uid=test.user,cn=users,cn=accounts,dc=ipa,dc=rdmedia,dc=com'. ] This LDAP Proxy User will try to do the following things to the LDAP Test User: "The following functionality (if enabled) will be tested using the test user account. Authentication Password policy reading Set password Set challenge/responses Load challenge/responses" What is best practice here, should I grant more privileges to the sysaccount (how?), or should I create a 'regular' user in the UI/through the ipa cli and grant the necessary roles there? On 20 April 2016 at 17:39, Alexander Bokovoy <[email protected]> wrote: > On Wed, 20 Apr 2016, Tiemen Ruiten wrote: > >> Hello, >> >> I'm trying to set up a self-service page for a new IPA domain and I'm >> trying to use PWM for that. >> >> When I try to bind to FreeIPA from within PWM, with the configured "LDAP >> Proxy User", I get the following error: >> >> error connecting to ldap server 'ldaps://polonium.ipa.rdmedia.com:636': >> unable to create connection: unable to bind to ldaps:// >> polonium.ipa.rdmedia.com:636 as >> cn=svcpwmproxy,cn=groups,cn=accounts,dc=ipa,dc=rdmedia,dc=com reason: >> [LDAP: error code 48 - Inappropriate Authentication] >> > You are trying to bind as a group, not as a user. Group has no > passwords. > > You need to have a user object or just a sysaccount to bind to LDAP. > See http://www.freeipa.org/page/HowTo/LDAP#System_Accounts for > sysaccounts. > > >> In /var/log/krb5kdc.log I see: >> >> Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): AS_REQ (6 >> etypes {18 17 16 23 25 26}) 192.168.50.33: NEEDED_PREAUTH: host/ >> [email protected] for krbtgt/ >> [email protected], Additional pre-authentication required >> Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): closing >> down >> fd 12 >> Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): AS_REQ (6 >> etypes {18 17 16 23 25 26}) 192.168.50.33: ISSUE: authtime 1461165149, >> etypes {rep=18 tkt=18 ses=18}, host/ >> [email protected] for krbtgt/ >> [email protected] >> Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): closing >> down >> fd 12 >> Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): TGS_REQ (6 >> etypes {18 17 16 23 25 26}) 192.168.50.33: ISSUE: authtime 1461165149, >> etypes {rep=18 tkt=18 ses=18}, host/ >> [email protected] for ldap/ >> [email protected] >> Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): closing >> down >> fd 12 >> > Kerberos is completely unrelated here. > > > >> What is going on? What can I do to debug this more? >> >> >> -- >> Tiemen Ruiten >> Systems Engineer >> R&D Media >> > > -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > -- > / Alexander Bokovoy > -- Tiemen Ruiten Systems Engineer R&D Media
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
