I am setting up LDAP authentication with a remote service. On
https://www.freeipa.org/page/HowTo/LDAP it says the following:

"Do not use the Directory Manager account to authenticate remote
services to the IPA LDAP server. Use a system account, created like

I followed the steps there to create an entry under sysaccounts, and
confirmed it is there using ldapsearch:

ldapsearch -D 'cn=Directory Manager' -W -H ldap://ipa01.example.com -x

# remoteu, sysaccounts, etc, example.com
dn: uid=remoteu,cn=sysaccounts,cn=etc,dc=example,dc=com
objectClass: account
objectClass: simplesecurityobject
objectClass: top
uid: remoteu
userPassword:: [hash value]

This new user is unable to run LDAP searches though:
ldapsearch -D 'cn=remoteu' -W -H ldap://ipa01.example.com -x uid=remoteu
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

The new user is also unable to authenticate the remote service. (The
Directory Manager user is able to authenticate the remote service,
although as pointed out above, that's not a good idea.)

The How-To LDAP page also notes:
"IPA 4.0 is going to change the default stance on data from nearly
everything is readable to nothing is readable, by default. You will
eventually need to add some Access Control Instructions (ACI's) to
grant read access to the parts of the LDAP tree you will need."

I'm not sure if that's part of the issue or not. I'm using IPA version
4.4.0. Thanks in advance for any suggestions.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to