Alexander Skwar wrote:
Hello Rob

2016-05-12 0:06 GMT+02:00 Rob Crittenden <>:

Alexander Skwar wrote:

The WAF would then send username and password to FreeIPA (using LDAP)
and would need to get back, whether the combination was good or not.

Is that scenario doable with FreeIPA and LDAP? Would anyone maybe even
know of some good howtos or links? Any gotchas, that we'd need to be
aware of?

Yes it's possible, see

I created the user uid=system as shown in the howto. But my appliance
is having issues (so to say). I'm getting errors like this one:

2016-05-18 14:55:35,003 +0200 ERROR [CC:Eoyfcf1mV9E$]
[RC:7f0100-4094-2016.05.18_1255.33.733-001] audit:writeLog() - [AUDIT]
[USER_AUTH_FAILED_TECH] user="ask" logmsg="Authentication failed due
to a technical problem. Reason: '[SYSTEM] [ERR_INTERNAL_STATE] Invalid
internal state! Reason:
/ cn=users,cn=accounts,dc=hydrus,dc=intern@ldaps://
/ javax.naming.AuthenticationNotSupportedException: [LDAP: error code
48 - Inappropriate Authentication]'"
2016-05-18 14:55:35,006 +0200 ERROR [CC:Eoyfcf1mV9E$]
exception:logExceptionStackTrace() - [SYSTEM] [ERR_INTERNAL_STATE]
Invalid internal state! Reason:
com.usp.sls.toolkit.error.SLSException: [SYSTEM] [ERR_INTERNAL_STATE]
Invalid internal state! Reason:
     at com.usp.sls.ldap.adapter.LdapUtil.getSLSException(

Important parts here:

- javax.naming.AuthenticationNotSupportedException: [LDAP: error code
48 - Inappropriate Authentication]

I suppose, the "tech" user doesn't have the sufficient rights.

Is your user "tech?" It doesn't appear to be though this logging leaves much to be desired.

LDAP err 48 means a bind was tried using a bad mechanism, like trying to do a simple bind when stronger auth is required, for example. Or you try to bind with a user that has no password.

What is confusing to me is that the DN doesn't include uid=system, so it may be a configuration error on your part.

In the Howto, it says:

Note: IPA 4.0 is going to change the default stance on data from
nearly everything is readable to nothing is readable, by default. You
will eventually need to add some Access Control Instructions (ACI's)
to grant read access to the parts of the LDAP tree you will need.

What would be good ACIs to grant read access to
cn=users,cn=accounts,dc=hydrus,dc=intern to this uid=system user?

This is not the problem.


Thanks again,


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to