Alexander Bokovoy wrote: > On la, 11 helmi 2017, Michael Ströder wrote: >> Harald Dunkel wrote: >>> On 02/10/17 15:07, Tomasz Torcz wrote: >>>> On Fri, Feb 10, 2017 at 02:03:48PM +0100, Harald Dunkel wrote: >>>>> did anybody succeed in using Freeipa for Jenkins' LDAP module? >>>>> I can't make it work :-(. >>>> >>>> I'm using Jenkins with FreeIPA, but not with Jenkins's LDAP. >>>> I have Jenkins set to PAM authentication, which in turn goes thru SSSD. >>>> It works fine, groups are resolved correctly, too. >>> >>> Thats plan B. Its good to know that this works, but I >>> don't give up that easy. >> >> Jenkins' LDAP integration is pretty good and flexible. I made it work with >> various >> LDAP servers in customer projects. I did not have do that with FreeIPA yet >> but I'd >> be very surprised if it doesn't work. >> >> (Personally I'd avoid going through PAM.) > > Any specific reason for not using pam_sss?
At the end it's a matter of personal taste. In my deployments PAM logins have most times nothing to do with the services running on a host which might even use a completely different LDAP service. > Remember, with SSSD involved you get also authentication for trusted users > from Active > Directory realms. You don't get that with generic LDAP way. This might be a use-case for which to prefer going through pam_sss. As usual your mileage may vary. But we both know next to nothing about the original posters infrastructure. > Also, you'd be more efficient in terms of utilising LDAP connections. Hmm, IMHO this depends very much on the client software used. Modern Java software has decent LDAP connection pooling. Ciao, Michael. (not a Java fan though)
Description: S/MIME Cryptographic Signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project