Re: [Freeipa-users] creating an LDAP bind user
Thanks Jason, that was exactly the issue! It's working now. On Wed, Apr 26, 2017 at 4:11 PM, Jason B. Nance wrote: > Hi Chris, > >> # remoteu, sysaccounts, etc, example.com >> dn: uid=remoteu,cn=sysaccounts,cn=etc,dc=example,dc=com >> objectClass: account >> objectClass: simplesecurityobject >> objectClass: top >> uid: remoteu >> userPassword:: [hash value] >> >> This new user is unable to run LDAP searches though: >> ldapsearch -D 'cn=remoteu' -W -H ldap://ipa01.example.com -x uid=remoteu >> Enter LDAP Password: >> ldap_bind: Invalid credentials (49) > > Your DN (-D) is incorrect in your ldapsearch call. It needs to match the > part after the "dn:" string you provided in your query of the user above > (uid=remoteu,cn=sysaccounts,cn=etc,dc=example,dc=com). > > In some cases you can shorten the DN but only if your suffix/basedn is set > correctly for the client making the call. > > Regards, > > j -- Chris Herdt UIS Systems Administrator che...@umn.edu 612-301-2232 (office) 734-754-3585 (mobile) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] creating an LDAP bind user
Hi Chris, > # remoteu, sysaccounts, etc, example.com > dn: uid=remoteu,cn=sysaccounts,cn=etc,dc=example,dc=com > objectClass: account > objectClass: simplesecurityobject > objectClass: top > uid: remoteu > userPassword:: [hash value] > > This new user is unable to run LDAP searches though: > ldapsearch -D 'cn=remoteu' -W -H ldap://ipa01.example.com -x uid=remoteu > Enter LDAP Password: > ldap_bind: Invalid credentials (49) Your DN (-D) is incorrect in your ldapsearch call. It needs to match the part after the "dn:" string you provided in your query of the user above (uid=remoteu,cn=sysaccounts,cn=etc,dc=example,dc=com). In some cases you can shorten the DN but only if your suffix/basedn is set correctly for the client making the call. Regards, j -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] creating an LDAP bind user
I am setting up LDAP authentication with a remote service. On https://www.freeipa.org/page/HowTo/LDAP it says the following: "Do not use the Directory Manager account to authenticate remote services to the IPA LDAP server. Use a system account, created like this:" I followed the steps there to create an entry under sysaccounts, and confirmed it is there using ldapsearch: ldapsearch -D 'cn=Directory Manager' -W -H ldap://ipa01.example.com -x uid=remoteu # remoteu, sysaccounts, etc, example.com dn: uid=remoteu,cn=sysaccounts,cn=etc,dc=example,dc=com objectClass: account objectClass: simplesecurityobject objectClass: top uid: remoteu userPassword:: [hash value] This new user is unable to run LDAP searches though: ldapsearch -D 'cn=remoteu' -W -H ldap://ipa01.example.com -x uid=remoteu Enter LDAP Password: ldap_bind: Invalid credentials (49) The new user is also unable to authenticate the remote service. (The Directory Manager user is able to authenticate the remote service, although as pointed out above, that's not a good idea.) The How-To LDAP page also notes: "IPA 4.0 is going to change the default stance on data from nearly everything is readable to nothing is readable, by default. You will eventually need to add some Access Control Instructions (ACI's) to grant read access to the parts of the LDAP tree you will need." I'm not sure if that's part of the issue or not. I'm using IPA version 4.4.0. Thanks in advance for any suggestions. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project