On pe, 24 maalis 2017, Maciej Drobniuch wrote:
Hi All,

I'm trying to integrate Freeipa with jenkins and ldap auth plugin.

The thing with the Freeipa LDAP server is:
* Only Directory Manager can read userPassword field (not sure yet how to
create a sysaccount which can read the field. ldifs are welcome ;)
This is absolutely not needed. You should configure Jenkins to perform
LDAP bind with user password against IPA LDAP server, that's all. This
is supported by acegi security framework that Jenkins LDAP plugin is
using. For example,
https://github.com/jenkinsci/ldap-plugin/blob/master/src/main/resources/hudson/security/LDAPBindSecurityRealm.groovy
actually uses
org.acegisecurity.providers.ldap.authenticator.BindAuthenticator2 which
does support normal LDAP bind.

I think it is, in fact, a default setup for Jenkins LDAP auth plugin, so
you actually needed to do something to disable this path.


* The userPassword field contains the password in salted SHA (SSHA) format.
From what I've observed the standard LDAP auth functions do not do the SSHA
or any other type of calculations. The password is compared to the plain
text that's usually(in a typical OpenLDAP server) stored in the
userPassword field(correct me if I'm wrong)
* I've managed to integrate CACTI with freeipa by base64 decoding the
userPassword field then calculating the salted hash and comparing to the
userPassword field. (php code modification was required).
* I think the only way is to modify the jenkins LDAP plugin (?).

The problem:
* I don't want to use sssd PAM because we have OTP enabled and that would
annoy users(?) additionally it's causing some unidentified build issues
BTW> Can I disable OTP per server?
* I can not integrate Kerberos/GSSAPI/SPNEGO because the PCs are not
connected to the principal(no control over them yet)
* I want simple LDAP auth ;-)
So use simple LDAP bind.


Ideas & suggestions are welcome!

M.

On Sat, Feb 11, 2017 at 4:28 PM, Michael Ströder <mich...@stroeder.com>
wrote:

Alexander Bokovoy wrote:
> On la, 11 helmi 2017, Michael Ströder wrote:
>> Alexander Bokovoy wrote:
>>> On la, 11 helmi 2017, Harald Dunkel wrote:
>>>> On 02/11/17 11:57, Alexander Bokovoy wrote:
>>>>> On la, 11 helmi 2017, Michael Ströder wrote:
>>>>>>
>>>>>> (Personally I'd avoid going through PAM.)
>>>>> Any specific reason for not using pam_sss? Remember, with SSSD
involved
>>>>> you get also authentication for trusted users from Active Directory
>>>>> realms. You don't get that with generic LDAP way. Also, you'd be more
>>>>> efficient in terms of utilising LDAP connections.
>>>>>
>>>>
>>>> I would prefer if the users are not allowed to login into a
>>>> shell on the Jenkins server. Surely this restriction can be
>>>> implemented with pam as well.
>>>
>>> Yes, you can use HBAC rules to prevent them from access to the host.
>>
>> But this introduces a hard dependency on host system administration
which I personally
>> always try to avoid.
>>
>> As said: Your mileage may vary.
>
> So we are talking about FreeIPA and a system enrolled to FreeIPA. This
> system is already managed in FreeIPA.

Please don't get me wrong. Of course I assume that the original poster
wants to integrate
Jenkins with FreeIPA and make use of users and their group membership
already maintained
therein.

Let's further assume that the service (here Jenkins) might be operated by
another team
than the system - not so unusual case at my customers' sites - relying on
defining HBAC
rules for the system's sssd might not be feasible.

> Your mileage may vary, indeed, but I'd rather re-use what is available
> to you than implement a parallel infrastructure, including reliability
> aspects.

Of course we both agree on the benefits of using what's already available.

> Anyway, I think we are distancing away from the original topic.

Especially since we both can only make rough assumptions about
requirements and
operational constraints of the original poster.

Ciao, Michael.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project




--
Best regards

Maciej Drobniuch
Network Security Engineer
Collective-Sense,LLC

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to