[Freeipa-users] Re: External Application Authentication Against FreeIPA LDAP Not Working

[bdlamprecht--- via FreeIPA-users]

Yes, this information helped.

In summary, I needed to create a "Service Account" that my application could 
bind to.
I'm not sure why as it was able to BIND just fine using my credentials, but 
that is not a question for this group.

It took some trial and error to get it to work correctly, but I was finally 
able to get it to function properly.
I'm grateful for the assistance.

Thanks again,
Brady
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: External Application Authentication Against FreeIPA LDAP Not Working

[Florence Blanc-Renaud via FreeIPA-users]

On 08/01/2017 12:54 AM, bdlamprecht--- via FreeIPA-users wrote:

I've been trying to get this to work for a few days now all to no avail...

I'm been running "FreeIPA, version: 4.3.1" for a few months now to authenticate 
a number of VMs that I grew tired of managing permissions on a individual basis and so 
far have been very pleased.
Now, I'm attempt to use the LDAP functionality to authenticate an external 
application against it.
I've been able to get the basic auth to work well, however, I can't seem to get 
the group permissions to work at all.

 From my FreeIPA server's "/var/log/dirsrv/slapd/access.log":

Without group permissions (working):

[31/Jul/2017:16:21:07 -0600] conn=6138 fd=121 slot=121 SSL connection from 
9.0.49.10 to 9.0.49.11
[31/Jul/2017:16:21:07 -0600] conn=6138 TLS1.2 128-bit AES-GCM
[31/Jul/2017:16:21:07 -0600] conn=6138 op=0 BIND 
dn="uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com" method=128 version=3
[31/Jul/2017:16:21:07 -0600] conn=6138 op=0 RESULT err=0 tag=97 nentries=0 etime=0 
dn="uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com"
[31/Jul/2017:16:21:07 -0600] conn=6138 op=1 BIND dn="" method=128 version=3
[31/Jul/2017:16:21:07 -0600] conn=6138 op=1 RESULT err=0 tag=97 nentries=0 etime=0 
dn=""
[31/Jul/2017:16:21:07 -0600] conn=6138 op=2 SRCH 
base="uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com" scope=0 
filter="(objectClass=*)" attrs=ALL
[31/Jul/2017:16:21:07 -0600] conn=6138 op=2 RESULT err=0 tag=101 nentries=1 
etime=0
[31/Jul/2017:16:21:07 -0600] conn=6138 op=3 UNBIND
[31/Jul/2017:16:21:07 -0600] conn=6138 op=3 fd=121 closed - U1

Using group permissions (NOT working):

[31/Jul/2017:16:32:54 -0600] conn=6162 fd=126 slot=126 SSL connection from 
9.0.49.10 to 9.0.49.11
[31/Jul/2017:16:32:54 -0600] conn=6162 TLS1.2 128-bit AES-GCM
[31/Jul/2017:16:32:54 -0600] conn=6162 op=0 BIND 
dn="uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com" method=128 version=3
[31/Jul/2017:16:32:54 -0600] conn=6162 op=0 RESULT err=0 tag=97 nentries=0 etime=0 
dn="uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com"
[31/Jul/2017:16:32:54 -0600] conn=6162 op=1 BIND dn="" method=128 version=3
[31/Jul/2017:16:32:54 -0600] conn=6162 op=1 RESULT err=0 tag=97 nentries=0 etime=0 
dn=""
[31/Jul/2017:16:32:54 -0600] conn=6162 op=2 CMP 
dn="cn=netbox-users,cn=groups,cn=accounts,dc=coc,dc=ibm,dc=com" attr="member"
[31/Jul/2017:16:32:54 -0600] conn=6162 op=2 RESULT err=50 tag=111 nentries=0 
etime=0
[31/Jul/2017:16:32:54 -0600] conn=6162 op=3 UNBIND
[31/Jul/2017:16:32:54 -0600] conn=6162 op=3 fd=126 closed - U1

In the 2nd example above the "op=2 RESULT err=50" indicates that 
"LDAP_INSUFFICIENT_ACCESS" is what is being returned, but when I do the following 
"ldapsearch" command:

ldapsearch -D "uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com" -W 
uid=bl839s
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base  (default) with scope subtree
# filter: uid=bl839s
# requesting: ALL
#

# bl839s, users, accounts, coc.ibm.com
dn: uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com
krbLastSuccessfulAuth: 20170731223600Z
memberOf: cn=admins,cn=groups,cn=accounts,dc=coc,dc=ibm,dc=com
---SNIP---
memberOf: cn=netbox-users,cn=groups,cn=accounts,dc=coc,dc=ibm,dc=com
---SNIP---

  I can see that I AM a "member" of the the 
dn="cn=netbox-users,cn=groups,cn=accounts,dc=coc,dc=ibm,dc=com" group.
That being said, when I try to search for members of the group directly, I get 
a similar error:

root@ipa1:~# ldapsearch -D 
"cn=netbox-users,cn=groups,cn=accounts,dc=coc,dc=ibm,dc=com" -W uid=bl839s
Enter LDAP Password:
ldap_bind: Inappropriate authentication (48)


Hi,

1/ the above command is trying to perform a BIND as cn=netbox-users then 
a search using the default search base with a filter uid=bl839s. I 
believe you want rather to perform a search using cn=netbox-users as 
search base, in this case the command would be:


ldapsearch -D "uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com" -W 
-b "cn=netbox-users,cn=groups,cn=accounts,dc=coc,dc=ibm,dc=com"


2/ the logs you provided suggest that your application is first binding 
as uid=bl839s, then binding anonymously (BIND dn=""), then performing a 
ldapcompare on cn=netbox-users. The anonymous user may be lacking the 
privileges to perform ldap compare on cn=netbox-users.


You can either check if your application can be configured to perform 
the compare with a specific user instead of anonymous user, or add 
proper ACIs.


Flo



I would appreciate any help I can get in understanding what I don't have 
configured properly.

Thanks in advance,
Brady
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org