[Freeipa-users] Re: LDAP account for service

[Ian Pilcher via FreeIPA-users]

On 1/29/19 12:23 PM, Rob Crittenden wrote:

So what I think you'll have to do is create a separate LDAP system
account, details are in the LDAP howto on freeipa.org.


I stumbled across that sometime in the bleary hours of this morning.
Good to know that I was barking up the right tree.


And you'll need to do a bit of manual work to allow this system account
read access to the membership info. You can do this by using ldapmodify
to add memberof:  for the permission (or permissions) you
need to grant it.


For whatever reason, I didn't need to do anything special.  It "just
worked" once I created the account.

# ldapsearch -x -D uid=radiusd,cn=sysaccounts,cn=etc,dc=example,dc=com \
-W -b cn=users,cn=accounts,dc=example,dc=com '(uid=test)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (uid=test)
# requesting: ALL
#

# test, users, accounts, example.com
dn: uid=test,cn=users,cn=accounts,dc=example,dc=com
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com
memberOf: cn=wifi,cn=groups,cn=accounts,dc=example,dc=com
krbPasswordExpiration: 20290126192822Z
krbLastPwdChange: 20190129192822Z
displayName: Test User
uid: test
krbCanonicalName: t...@example.com
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
initials: TU
gecos: Test User
sn: User
homeDirectory: /home/test
mail: t...@example.com
krbPrincipalName: t...@example.com
givenName: Test
cn: Test User
ipaUniqueID: fde5c420-23fb-11e9-bed0-00224db7a139
uidNumber: 178527
gidNumber: 178527

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

--

Ian Pilcher arequip...@gmail.com
 "I grew up before Mark Zuckerberg invented friendship" 

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: LDAP account for service

[Rob Crittenden via FreeIPA-users]

Ian Pilcher via FreeIPA-users wrote:
> Continuing my adventures with FreeRADIUS ...
> 
> It seems that there's no escaping the need to create a dedicated LDAP
> user for FreeRADIUS, so that it can see group membership information.
> 
> I've already created a FreeIPA service -
> radius/ipa.example@example.com - so that I could issue a certificate
> for PEAP and monitor it with certmonger.  (Yes, FreeRADIUS is running on
> the same server as FreeIPA.)
> 
> Is it possible to somehow create a "service user" associated with this
> service that FreeRADIUS can use as an LDAP login?
> 
> Thanks!
> 

You can't use the Kerberos service to store a password because it lacks
the attributes to store it. You could use potentially use a keytab but I
somehow doubt that GSSAPI auth is available.

So what I think you'll have to do is create a separate LDAP system
account, details are in the LDAP howto on freeipa.org.

And you'll need to do a bit of manual work to allow this system account
read access to the membership info. You can do this by using ldapmodify
to add memberof:  for the permission (or permissions) you
need to grant it.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org