Re: [Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications

2015-03-17 Thread Dan
Thomas Raehalme thomas.raehalme@... writes:

 
 Hi,
 
 Previously we have used Atlassian Crowd as a source for user data in
 various applications, both in-house built and proprietary such as JIRA
 or Confluence. As we have deployed FreeIPA, I would like to start
 using it as the identity source. Unfortunately using Kerberos is not
 always possible so I am thinking about LDAP which often is an option
 in 3rd party applicaitons.
 
 Anonymous access to the FreeIPA LDAP is enabled by default. Is it
 possible to configure username/password to access the information?
 Currently vSphere has a problem with anonymous access to LDAP not
 working as intended. Ofcourse it would be nice to be able to restrict
 access anyways.
 
 If using FreeIPA LDAP as the identity source, how should
 authentication be handled? Is it possible to read the hash code for
 passwords? Is it possible to authenticate against the LDAP service?
 
 Any advice appreciated!
 
 Best regards,
 Thomas


Hi,

I have just successfully configured confluence and jira to use FreeIPA for 
its LDAP user directory.

First, create an IPA user group for confluence-users and jira-users using 
the IPA dashboard. Then add a user to both of these groups.

If you navigate to the confluence and jira dashboards and then in the User 
Directories settings menu add a Generic Directory Server and then use the 
following settings...

Base DN: You can find this in your IPA config.
Additional User DN: cn=users,cn=accounts
Additional Group DN: cn=groups,cn=accounts
LDAP Permissions: Read Only

Advanced Settings - Defaults are fine for this section

User Schema Settings
User Object Class:  inetorgperson
User Object Filter: (objectclass=inetorgperson)
User Name Attribute:uid
User Name RDN Attribute:uid
User First Name Attribute:  givenName
User Last Name Attribute:   sn
User Display Name Attribute:displayName
User Email Attribute:   mail
User Password Attribute:userPassword
User Password Encryption:   SHA
User Unique ID Attribute:   ipaUniqueID

Group Schema Settings   
Group Object Class  ipausergroup
Group Object Filter (objectclass=ipausergroup)
Group Name Attributecn
Group Description   description

Membership Schema Settings  
Group Members Attribute: member
User Membership Attribute: member (This is not used due to the next option)
User the User Membership Attribute: (Ensure this is unchecked, it is not 
supported)

Now save and test using the user who is in the groups created above.

Hope this helps someone.

Dan


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications

2013-09-13 Thread Thomas Raehalme
Hi!

On Thu, Sep 12, 2013 at 3:28 PM, Martin Kosek mko...@redhat.com wrote:

 When using FreeIPA LDAP as identity source, you could ideally use
 Kerberos/GSSAPI authentication. But if that is not available, you can use
 simple LDAP binds too. You cannot read the hash codes unless you are
 cn=Directory Manager (or unless you set ACI allowing that, but this is very
 unsecure).

Could you please elaborate on using simple LDAP binds?

Thanks for the detailed example!

Best regards,
Thomas

-- 
Thomas Raehalme
CTO, teknologiajohtaja
Mobile +358 40 545 0605

Codecenter Oy
Väinönkatu 26 A, 4th Floor
40100 JYVÄSKYLÄ, Finland
Tel. +358 10 322 0040
www.codecenter.fi

Codecenter - Tietojärjestelmiä ymmärrettävästi

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications

2013-09-13 Thread Jakub Hrozek
On Thu, Sep 12, 2013 at 03:54:59PM +0300, Thomas Raehalme wrote:
 Hi!
 
 On Thu, Sep 12, 2013 at 3:28 PM, Martin Kosek mko...@redhat.com wrote:
 
  When using FreeIPA LDAP as identity source, you could ideally use
  Kerberos/GSSAPI authentication. But if that is not available, you can use
  simple LDAP binds too. You cannot read the hash codes unless you are
  cn=Directory Manager (or unless you set ACI allowing that, but this is 
  very
  unsecure).
 
 Could you please elaborate on using simple LDAP binds?
 
 Thanks for the detailed example!

simple bind == with a password. The simple bind has two components - the
DN to bind as and a password.

See the example Martin posted. The ldapadd command there authenticates
using DN cn=Directory Manager and Martin was kind enough to also show
how a password can be provided.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications

2013-09-13 Thread Chris Hudson
A simple bind would be using a user/password combination to access LDAP. An 
example of a simple bind in an ldapsearch would look something like: 

# ldapsearch -x -h ldap.example.com -D uid=user1,ou=people,dc=example,dc=com -w 
password -b dc=example,dc=com 

You can see how we are using -x (simple bind) and then -D (who to bind with?) 
and then -w (password) to access the LDAP database on ldap.example.com. 

HTH, 
Chris 

- Original Message -

 From: Thomas Raehalme thomas.raeha...@codecenter.fi
 To: Martin Kosek mko...@redhat.com
 Cc: freeipa-users@redhat.com
 Sent: Thursday, September 12, 2013 8:54:59 AM
 Subject: Re: [Freeipa-users] Using FreeIPA for LDAP authentication in 3rd
 party applications

 Hi!

 On Thu, Sep 12, 2013 at 3:28 PM, Martin Kosek mko...@redhat.com wrote:

  When using FreeIPA LDAP as identity source, you could ideally use
  Kerberos/GSSAPI authentication. But if that is not available, you can use
  simple LDAP binds too. You cannot read the hash codes unless you are
  cn=Directory Manager (or unless you set ACI allowing that, but this is
  very
  unsecure).

 Could you please elaborate on using simple LDAP binds?

 Thanks for the detailed example!

 Best regards,
 Thomas

 --
 Thomas Raehalme
 CTO, teknologiajohtaja
 Mobile +358 40 545 0605

 Codecenter Oy
 Väinönkatu 26 A, 4th Floor
 40100 JYVÄSKYLÄ, Finland
 Tel. +358 10 322 0040
 www.codecenter.fi

 Codecenter - Tietojärjestelmiä ymmärrettävästi

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications

2013-09-13 Thread Thomas Raehalme
Hi!

On Thu, Sep 12, 2013 at 4:33 PM, Martin Kosek mko...@redhat.com wrote:
 Well, LDAP is the data backend for all FreeIPA identity data, you can 
 certainly
 use plain LDAP binds with them (though Kerberos/GSSAPI auth is preferred).
 # ldapsearch -h `hostname` -D 
 uid=jdoe,cn=users,cn=accounts,dc=example,dc=com
 -x -w xO3xs5yOv,dL -b  -s base

Now I got it working. I didn't remember to use dn to login, so no
wonder it didn't work :-)

Thank you for all your help!

Best regards,
Thomas

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications

2013-09-13 Thread Martin Kosek

On 09/12/2013 08:29 PM, Thomas Raehalme wrote:

Hi!

On Thu, Sep 12, 2013 at 4:33 PM, Martin Kosek mko...@redhat.com wrote:

Well, LDAP is the data backend for all FreeIPA identity data, you can certainly
use plain LDAP binds with them (though Kerberos/GSSAPI auth is preferred).
# ldapsearch -h `hostname` -D uid=jdoe,cn=users,cn=accounts,dc=example,dc=com
-x -w xO3xs5yOv,dL -b  -s base


Now I got it working. I didn't remember to use dn to login, so no
wonder it didn't work :-)

Thank you for all your help!

Best regards,
Thomas



Good! I am glad I could help :-)

Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications

2013-09-13 Thread Thomas Raehalme
Hi!

On Thu, Sep 12, 2013 at 4:06 PM, Martin Kosek mko...@redhat.com wrote:
 I was just referring to fact, that when a system or application uses LDAP as 
 an
 identity and authentication source, it often use simple LDAP Bind operation
 (i.e. accessing LDAP with user+password or) when testing if the user accessing
 the application provided the right credentials.

Yes, that's true at least for some applications. Does the LDAP in
FreeIPA allow that kind of login by default for IPA users? If not, is
it possible to enable it somehow?

Best regards,
Thomas Raehalme
-- 
Thomas Raehalme
CTO, teknologiajohtaja
Mobile +358 40 545 0605

Codecenter Oy
Väinönkatu 26 A, 4th Floor
40100 JYVÄSKYLÄ, Finland
Tel. +358 10 322 0040
www.codecenter.fi

Codecenter - Tietojärjestelmiä ymmärrettävästi

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications

2013-09-13 Thread Jakub Hrozek
On Thu, Sep 12, 2013 at 04:18:49PM +0300, Thomas Raehalme wrote:
 Hi!
 
 On Thu, Sep 12, 2013 at 4:06 PM, Martin Kosek mko...@redhat.com wrote:
  I was just referring to fact, that when a system or application uses LDAP 
  as an
  identity and authentication source, it often use simple LDAP Bind operation
  (i.e. accessing LDAP with user+password or) when testing if the user 
  accessing
  the application provided the right credentials.
 
 Yes, that's true at least for some applications. Does the LDAP in
 FreeIPA allow that kind of login by default for IPA users? If not, is
 it possible to enable it somehow?
 
 Best regards,
 Thomas Raehalme

The simple binds should be enabled by default in IPA.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications

2013-09-12 Thread Martin Kosek
On 09/12/2013 01:46 PM, Thomas Raehalme wrote:
 Hi,
 
 Previously we have used Atlassian Crowd as a source for user data in
 various applications, both in-house built and proprietary such as JIRA
 or Confluence. As we have deployed FreeIPA, I would like to start
 using it as the identity source. Unfortunately using Kerberos is not
 always possible so I am thinking about LDAP which often is an option
 in 3rd party applicaitons.
 
 Anonymous access to the FreeIPA LDAP is enabled by default. Is it
 possible to configure username/password to access the information?
 Currently vSphere has a problem with anonymous access to LDAP not
 working as intended. Ofcourse it would be nice to be able to restrict
 access anyways.
 
 If using FreeIPA LDAP as the identity source, how should
 authentication be handled? Is it possible to read the hash code for
 passwords? Is it possible to authenticate against the LDAP service?
 
 Any advice appreciated!
 
 Best regards,
 Thomas
 

When using FreeIPA LDAP as identity source, you could ideally use
Kerberos/GSSAPI authentication. But if that is not available, you can use
simple LDAP binds too. You cannot read the hash codes unless you are
cn=Directory Manager (or unless you set ACI allowing that, but this is very
unsecure).

If you do not want to access the LDAP anonymously and you do not want to use a
full IPA user for that (added via ipa user-add), you can manually add a
system user and use that for binding to LDAP:

# ldapadd -h `hostname` -D cn=Directory Manager -x -w kokos123
dn: uid=vsphere,cn=sysaccounts,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
objectClass: account
objectClass: simplesecurityobject
objectClass: top
uid: vsphere
userPassword: SuperSecretPassword

adding new entry
uid=vsphere,cn=sysaccounts,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com

HTH,
Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications

2013-09-12 Thread Martin Kosek
On 09/12/2013 02:54 PM, Thomas Raehalme wrote:
 Hi!
 
 On Thu, Sep 12, 2013 at 3:28 PM, Martin Kosek mko...@redhat.com wrote:
 
 When using FreeIPA LDAP as identity source, you could ideally use
 Kerberos/GSSAPI authentication. But if that is not available, you can use
 simple LDAP binds too. You cannot read the hash codes unless you are
 cn=Directory Manager (or unless you set ACI allowing that, but this is very
 unsecure).
 
 Could you please elaborate on using simple LDAP binds?

I was just referring to fact, that when a system or application uses LDAP as an
identity and authentication source, it often use simple LDAP Bind operation
(i.e. accessing LDAP with user+password or) when testing if the user accessing
the application provided the right credentials.

I am no expert on how you configure that with vSphere or similar, but if it
supports general LDAP as an identity/authentication source, it should also work
with FreeIPA.

I found some doc where may be relevant:
http://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-B23B1360-8838-4FF2-B074-71643C4CB040.html

Maybe other users are capable of giving more detailed answer with respect to
vSphere.

Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications

2013-09-12 Thread Martin Kosek
On 09/12/2013 03:18 PM, Thomas Raehalme wrote:
 Hi!
 
 On Thu, Sep 12, 2013 at 4:06 PM, Martin Kosek mko...@redhat.com wrote:
 I was just referring to fact, that when a system or application uses LDAP as 
 an
 identity and authentication source, it often use simple LDAP Bind operation
 (i.e. accessing LDAP with user+password or) when testing if the user 
 accessing
 the application provided the right credentials.
 
 Yes, that's true at least for some applications. Does the LDAP in
 FreeIPA allow that kind of login by default for IPA users? If not, is
 it possible to enable it somehow?
 
 Best regards,
 Thomas Raehalme

Well, LDAP is the data backend for all FreeIPA identity data, you can certainly
use plain LDAP binds with them (though Kerberos/GSSAPI auth is preferred).

See an example when I add a new IPA user and do LDAP bind with his credentials:

# ipa user-add --first=John --last=Doe jdoe --random
-
Added user jdoe
-
  User login: jdoe
  First name: John
  Last name: Doe
  Full name: John Doe
  Display name: John Doe
  Initials: JD
  Home directory: /home/jdoe
  GECOS: John Doe
  Login shell: /bin/sh
  Kerberos principal: j...@example.com
  Email address: j...@example.com
  Random password: xO3xs5yOv,dL
  UID: 47066
  GID: 47066
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

# ldapsearch -h `hostname` -D uid=jdoe,cn=users,cn=accounts,dc=example,dc=com
-x -w xO3xs5yOv,dL -b  -s base
# extended LDIF
#
# LDAPv3
# base  with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

#
dn:
objectClass: top
...

Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications

2013-09-12 Thread Jakub Hrozek
On Thu, Sep 12, 2013 at 02:28:45PM +0200, Martin Kosek wrote:
 # ldapadd -h `hostname` -D cn=Directory Manager -x -w kokos123
^^
0wn3d :-)

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users