Re: [Freeipa-users] LDAP only seems to allow anonymous access
Sorry, I missed adding the mailing list, added now. Ah, I'll bear that in mind about authentication prior to 4.4. I have 4.3.1 on Fedora 24 right now. I'm using anonymous authentication for now, for my various situations such as Jira/etc, and it seems to work, and I'll try again in 4.4 with various GUI apps. Thanks again for all the help! -Harry On 29 August 2016 at 01:59, Alexander Bokovoy wrote: > Again, don't answer to me directly, use freeipa-users@ mailing list. > > On Mon, 29 Aug 2016, Harry Kashouli wrote: > >> Fixed it, and now it looks like I actually get a successful result, and it >> gives me info on the account. Thanks, I should've guessed that I needed to >> replace $REALM. >> >> Now, even though this works, if I try to connect via a GUI such as LDAP >> Admin, I can only connect to the database if I use "Simple >> Authentication", >> and anonymous. If I switch it to GSS-API and add the admin user, I get an >> error as follows: >> "LDAP error! Invalid credentials: SASL(-13): authentication failure: >> GSSAPI Failure: gss_accept_sec_context" >> >> I've tried using the following two options as base, but still no sucess: >> - dc=outland,dc=zsazouli,dc=com >> - cn=users,cn=accounts,dc=outland,dc=zsazouli,dc=com >> > I don't think it is related to the choice of the base here. You need to > look into details of your GUI application. 'LDAP Admin' app is running > on Windows and I don't think it is going to use IPA's credentials -- it > is rather using Active Directory user's ones. However, we do not support > GSSAPI authentication as an AD user to LDAP in versions before FreeIPA 4.4. > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] LDAP only seems to allow anonymous access
Don't answer directly, answer to the list. On Mon, 29 Aug 2016, Harry Kashouli wrote: Gotcha, updated error below: $ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,$REALM uid=admin SASL/GSSAPI authentication started SASL username: ad...@outland.zsazouli.com SASL SSF: 56 SASL data security layer installed. No such object (32) I know the user exists, cause I see the admin (and my other users) in the FreeIPA web UI, and kinit gives me a valid ticket Did you replace $REALM above with the correct value? E.g. ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=outland,dc=zsazouli,dc=com uid=admin As you can see in the SASL output, the GSSAPI negotiation happened successfully, the "No such object (32)" answer is LDAP return code which is most likely due to wrong base used. If no object would exist, you'd get empty successful result instead. -Harry On 29 August 2016 at 01:13, Alexander Bokovoy wrote: On Mon, 29 Aug 2016, Harry Kashouli wrote: This is the error I get: ldapsearch -LLL GSSAPI -b cn=users,cn=accounts,$REALM uid=admin SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: You are using wrong syntax. To specify SASL mechanism, you need to use -Y option: ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,$REALM uid=admin -- / Alexander Bokovoy -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] LDAP only seems to allow anonymous access
On Mon, 29 Aug 2016, Harry Kashouli wrote: This is the error I get: ldapsearch -LLL GSSAPI -b cn=users,cn=accounts,$REALM uid=admin SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: You are using wrong syntax. To specify SASL mechanism, you need to use -Y option: ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,$REALM uid=admin -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] LDAP only seems to allow anonymous access
This is the error I get: ldapsearch -LLL GSSAPI -b cn=users,cn=accounts,$REALM uid=admin SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: -Harry On 28 August 2016 at 08:01, Rob Crittenden wrote: > Harry Kashouli wrote: > >> Hi all, >> >> I can only seem to connect clients to my FreeIPA's LDAP if I use the >> following: >> - Simple authentication >> - Anonymous login >> >> If I try to log in using any user credentials, it will not work. Are >> both GSS-API and named logins not allowed by default? >> > > Not sure what you mean by named logins but GSSAPI should work fine: > > $ kinit test > $ ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,$REALM uid=test > ... > > What error(s) are you seeing? > > rob > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] LDAP only seems to allow anonymous access
Harry Kashouli wrote: Hi all, I can only seem to connect clients to my FreeIPA's LDAP if I use the following: - Simple authentication - Anonymous login If I try to log in using any user credentials, it will not work. Are both GSS-API and named logins not allowed by default? Not sure what you mean by named logins but GSSAPI should work fine: $ kinit test $ ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,$REALM uid=test ... What error(s) are you seeing? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] LDAP only seems to allow anonymous access
Hi all, I can only seem to connect clients to my FreeIPA's LDAP if I use the following: - Simple authentication - Anonymous login If I try to log in using any user credentials, it will not work. Are both GSS-API and named logins not allowed by default? Thanks, -Harry -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
