Re: [Freeipa-users] creating an LDAP bind user

2017-04-26 Thread Chris Herdt 
Thanks Jason, that was exactly the issue! It's working now.

On Wed, Apr 26, 2017 at 4:11 PM, Jason B. Nance  wrote:
> Hi Chris,
>
>> # remoteu, sysaccounts, etc, example.com
>> dn: uid=remoteu,cn=sysaccounts,cn=etc,dc=example,dc=com
>> objectClass: account
>> objectClass: simplesecurityobject
>> objectClass: top
>> uid: remoteu
>> userPassword:: [hash value]
>>
>> This new user is unable to run LDAP searches though:
>> ldapsearch -D 'cn=remoteu' -W -H ldap://ipa01.example.com -x uid=remoteu
>> Enter LDAP Password:
>> ldap_bind: Invalid credentials (49)
>
> Your DN (-D) is incorrect in your ldapsearch call.  It needs to match the 
> part after the "dn:" string you provided in your query of the user above 
> (uid=remoteu,cn=sysaccounts,cn=etc,dc=example,dc=com).
>
> In some cases you can shorten the DN but only if your suffix/basedn is set 
> correctly for the client making the call.
>
> Regards,
>
> j



-- 
Chris Herdt
UIS Systems Administrator
che...@umn.edu
612-301-2232 (office)
734-754-3585 (mobile)

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] creating an LDAP bind user

2017-04-26 Thread Jason B. Nance 
Hi Chris,

> # remoteu, sysaccounts, etc, example.com
> dn: uid=remoteu,cn=sysaccounts,cn=etc,dc=example,dc=com
> objectClass: account
> objectClass: simplesecurityobject
> objectClass: top
> uid: remoteu
> userPassword:: [hash value]
> 
> This new user is unable to run LDAP searches though:
> ldapsearch -D 'cn=remoteu' -W -H ldap://ipa01.example.com -x uid=remoteu
> Enter LDAP Password:
> ldap_bind: Invalid credentials (49)

Your DN (-D) is incorrect in your ldapsearch call.  It needs to match the part 
after the "dn:" string you provided in your query of the user above 
(uid=remoteu,cn=sysaccounts,cn=etc,dc=example,dc=com).

In some cases you can shorten the DN but only if your suffix/basedn is set 
correctly for the client making the call.

Regards,

j

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] creating an LDAP bind user

2017-04-26 Thread Chris Herdt 
I am setting up LDAP authentication with a remote service. On
https://www.freeipa.org/page/HowTo/LDAP it says the following:

"Do not use the Directory Manager account to authenticate remote
services to the IPA LDAP server. Use a system account, created like
this:"

I followed the steps there to create an entry under sysaccounts, and
confirmed it is there using ldapsearch:

ldapsearch -D 'cn=Directory Manager' -W -H ldap://ipa01.example.com -x
uid=remoteu

# remoteu, sysaccounts, etc, example.com
dn: uid=remoteu,cn=sysaccounts,cn=etc,dc=example,dc=com
objectClass: account
objectClass: simplesecurityobject
objectClass: top
uid: remoteu
userPassword:: [hash value]

This new user is unable to run LDAP searches though:
ldapsearch -D 'cn=remoteu' -W -H ldap://ipa01.example.com -x uid=remoteu
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

The new user is also unable to authenticate the remote service. (The
Directory Manager user is able to authenticate the remote service,
although as pointed out above, that's not a good idea.)

The How-To LDAP page also notes:
"IPA 4.0 is going to change the default stance on data from nearly
everything is readable to nothing is readable, by default. You will
eventually need to add some Access Control Instructions (ACI's) to
grant read access to the parts of the LDAP tree you will need."

I'm not sure if that's part of the issue or not. I'm using IPA version
4.4.0. Thanks in advance for any suggestions.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project