Re: [Freeipa-users] LDAP authentication for 3rd party

[Peter Brown]

On 12 April 2013 23:59, Rich Megginson  wrote:

>  On 04/11/2013 11:58 PM, Peter Brown wrote:
>
> On 12 April 2013 15:51, Simon Williams 
> wrote:
>
>> I use Atlassian products, but use Crowd to provide single signon. This
>> means that Crowd is the only application that needs to authenticate against
>> LDAP. I found that I had to tell Crowd that the server was 389 DS. I could
>> not get it to work set to OpenLDAP.
>>
>
>  I had a look at crowd but it seemed like overkill when I could just
> point everything at FreeIPA.
>  We are a small shop so the extra queries weren't going to affect much.
>  I tried telling my Atlaassian apps that freeipa was a 389 ds server but
> it refused to work properly.
>
>
> Not sure what that means, exactly.  Check the 389 access logs to see what
> operations Atlassian is performing against 389.
>

I don't remember the exact error and they get used every day and they work
as is so I will have to wait for an update to switch it over to see what
errors it produces.


>
>
>   Slightly strange considering the ldap modules for all of them are the
> same as the one used in crowd.
>
>
>> Regards
>>
>> Simon
>>   On 11 Apr 2013 23:36, "Peter Brown"  wrote:
>>
>>> On 12 April 2013 05:04, John Dennis  wrote:
>>>
 On 04/11/2013 02:47 PM, Bartek Moczulski wrote:

> hi,
> I've got a problem with using IPA as authentication source over LDAP.
> Generally there are two approaches to LDAP authentication:
> 1. bind using admin account and read passwords from user objects (but
> in
> ipa you cannot read passwords through ldap, right?)
> 2. "bind to authenticate" - service tries to log in to ldap with user's
> credentials. If login is successful authentication is also succesful -
> this approach does not work because you cannot login to IPA ldap using
> bare username, you need a full LDAP DN.
>

  Most applications I know of that do "bind as user" to authenticate
 also permit you to specify a format string into which the user name is
 inserted (i.e. the format string is the dn, e.g.
 "uid=%u,cn=users,cn=accounts,dc=example,dc=com") -or- they do a search to
 discover the dn. If you application does not support either approach it's
 broken IMHO.

>>>
>>> I have used this method for Confluence, Jira, Stash, Icinga and Foreman.
>>>  I will be adding more applications in the future as well.
>>>  If the application doesn't support Kerberos it's the next best thing
>>> in my opinion.
>>> I have also use it to get email lists into dovecot and postfix.
>>>
>>>  One caveat I found is you need to tell Atlassian applications that
>>> FreeIPA is a plain OpenLDAP server to get it to work.
>>>  Apart from that it works "out of the box" as they say.
>>>
>>>
>>>

 Reading passwords and/or password hashes is not supported for security
 reasons.

  Now, I've got a 3rd party application supporting both mentioned above
> appoaches and the question is - how to make it work with ipa?
>
> thanks in advance,
> Bartek.
>
>
>  ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>

 --
 John Dennis 

 Looking to carve out IT costs?
 www.redhat.com/carveoutcosts/


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users

>>>
>>>
>>> ___
>>> Freeipa-users mailing list
>>> Freeipa-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>
>
>
> ___
> Freeipa-users mailing 
> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] LDAP authentication for 3rd party

[Rich Megginson]

On 04/11/2013 11:58 PM, Peter Brown wrote:
On 12 April 2013 15:51, Simon Williams 
> wrote:


I use Atlassian products, but use Crowd to provide single signon.
This means that Crowd is the only application that needs to
authenticate against LDAP. I found that I had to tell Crowd that
the server was 389 DS. I could not get it to work set to OpenLDAP.


I had a look at crowd but it seemed like overkill when I could just 
point everything at FreeIPA.

We are a small shop so the extra queries weren't going to affect much.
I tried telling my Atlaassian apps that freeipa was a 389 ds server 
but it refused to work properly.


Not sure what that means, exactly.  Check the 389 access logs to see 
what operations Atlassian is performing against 389.


Slightly strange considering the ldap modules for all of them are the 
same as the one used in crowd.


Regards

Simon

On 11 Apr 2013 23:36, "Peter Brown" mailto:rendhal...@gmail.com>> wrote:

On 12 April 2013 05:04, John Dennis mailto:jden...@redhat.com>> wrote:

On 04/11/2013 02:47 PM, Bartek Moczulski wrote:

hi,
I've got a problem with using IPA as authentication
source over LDAP.
Generally there are two approaches to LDAP authentication:
1. bind using admin account and read passwords from
user objects (but in
ipa you cannot read passwords through ldap, right?)
2. "bind to authenticate" - service tries to log in to
ldap with user's
credentials. If login is successful authentication is
also succesful -
this approach does not work because you cannot login
to IPA ldap using
bare username, you need a full LDAP DN.


Most applications I know of that do "bind as user" to
authenticate also permit you to specify a format string
into which the user name is inserted (i.e. the format
string is the dn, e.g.
"uid=%u,cn=users,cn=accounts,dc=example,dc=com") -or- they
do a search to discover the dn. If you application does
not support either approach it's broken IMHO.


I have used this method for Confluence, Jira, Stash, Icinga
and Foreman.
I will be adding more applications in the future as well.
If the application doesn't support Kerberos it's the next best
thing in my opinion.
I have also use it to get email lists into dovecot and postfix.

One caveat I found is you need to tell Atlassian applications
that FreeIPA is a plain OpenLDAP server to get it to work.
Apart from that it works "out of the box" as they say.



Reading passwords and/or password hashes is not supported
for security reasons.

Now, I've got a 3rd party application supporting both
mentioned above
appoaches and the question is - how to make it work
with ipa?

thanks in advance,
Bartek.


___
Freeipa-users mailing list
Freeipa-users@redhat.com 
https://www.redhat.com/mailman/listinfo/freeipa-users



-- 
John Dennis mailto:jden...@redhat.com>>


Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com 
https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com 
https://www.redhat.com/mailman/listinfo/freeipa-users




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] LDAP authentication for 3rd party

[Peter Brown]

On 12 April 2013 15:51, Simon Williams wrote:

> I use Atlassian products, but use Crowd to provide single signon. This
> means that Crowd is the only application that needs to authenticate against
> LDAP. I found that I had to tell Crowd that the server was 389 DS. I could
> not get it to work set to OpenLDAP.
>

I had a look at crowd but it seemed like overkill when I could just point
everything at FreeIPA.
We are a small shop so the extra queries weren't going to affect much.
I tried telling my Atlaassian apps that freeipa was a 389 ds server but it
refused to work properly.
Slightly strange considering the ldap modules for all of them are the same
as the one used in crowd.


> Regards
>
> Simon
> On 11 Apr 2013 23:36, "Peter Brown"  wrote:
>
>> On 12 April 2013 05:04, John Dennis  wrote:
>>
>>> On 04/11/2013 02:47 PM, Bartek Moczulski wrote:
>>>
 hi,
 I've got a problem with using IPA as authentication source over LDAP.
 Generally there are two approaches to LDAP authentication:
 1. bind using admin account and read passwords from user objects (but in
 ipa you cannot read passwords through ldap, right?)
 2. "bind to authenticate" - service tries to log in to ldap with user's
 credentials. If login is successful authentication is also succesful -
 this approach does not work because you cannot login to IPA ldap using
 bare username, you need a full LDAP DN.

>>>
>>> Most applications I know of that do "bind as user" to authenticate also
>>> permit you to specify a format string into which the user name is inserted
>>> (i.e. the format string is the dn, e.g. 
>>> "uid=%u,cn=users,cn=accounts,**dc=example,dc=com")
>>> -or- they do a search to discover the dn. If you application does not
>>> support either approach it's broken IMHO.
>>>
>>
>> I have used this method for Confluence, Jira, Stash, Icinga and Foreman.
>> I will be adding more applications in the future as well.
>> If the application doesn't support Kerberos it's the next best thing in
>> my opinion.
>> I have also use it to get email lists into dovecot and postfix.
>>
>> One caveat I found is you need to tell Atlassian applications that
>> FreeIPA is a plain OpenLDAP server to get it to work.
>> Apart from that it works "out of the box" as they say.
>>
>>
>>
>>>
>>> Reading passwords and/or password hashes is not supported for security
>>> reasons.
>>>
>>>  Now, I've got a 3rd party application supporting both mentioned above
 appoaches and the question is - how to make it work with ipa?

 thanks in advance,
 Bartek.


 __**_
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/**mailman/listinfo/freeipa-users


>>>
>>> --
>>> John Dennis 
>>>
>>> Looking to carve out IT costs?
>>> www.redhat.com/carveoutcosts/
>>>
>>>
>>> __**_
>>> Freeipa-users mailing list
>>> Freeipa-users@redhat.com
>>> https://www.redhat.com/**mailman/listinfo/freeipa-users
>>>
>>
>>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] LDAP authentication for 3rd party

[Simon Williams]

I use Atlassian products, but use Crowd to provide single signon. This
means that Crowd is the only application that needs to authenticate against
LDAP. I found that I had to tell Crowd that the server was 389 DS. I could
not get it to work set to OpenLDAP.

Regards

Simon
On 11 Apr 2013 23:36, "Peter Brown"  wrote:

> On 12 April 2013 05:04, John Dennis  wrote:
>
>> On 04/11/2013 02:47 PM, Bartek Moczulski wrote:
>>
>>> hi,
>>> I've got a problem with using IPA as authentication source over LDAP.
>>> Generally there are two approaches to LDAP authentication:
>>> 1. bind using admin account and read passwords from user objects (but in
>>> ipa you cannot read passwords through ldap, right?)
>>> 2. "bind to authenticate" - service tries to log in to ldap with user's
>>> credentials. If login is successful authentication is also succesful -
>>> this approach does not work because you cannot login to IPA ldap using
>>> bare username, you need a full LDAP DN.
>>>
>>
>> Most applications I know of that do "bind as user" to authenticate also
>> permit you to specify a format string into which the user name is inserted
>> (i.e. the format string is the dn, e.g. 
>> "uid=%u,cn=users,cn=accounts,**dc=example,dc=com")
>> -or- they do a search to discover the dn. If you application does not
>> support either approach it's broken IMHO.
>>
>
> I have used this method for Confluence, Jira, Stash, Icinga and Foreman.
> I will be adding more applications in the future as well.
> If the application doesn't support Kerberos it's the next best thing in my
> opinion.
> I have also use it to get email lists into dovecot and postfix.
>
> One caveat I found is you need to tell Atlassian applications that FreeIPA
> is a plain OpenLDAP server to get it to work.
> Apart from that it works "out of the box" as they say.
>
>
>
>>
>> Reading passwords and/or password hashes is not supported for security
>> reasons.
>>
>>  Now, I've got a 3rd party application supporting both mentioned above
>>> appoaches and the question is - how to make it work with ipa?
>>>
>>> thanks in advance,
>>> Bartek.
>>>
>>>
>>> __**_
>>> Freeipa-users mailing list
>>> Freeipa-users@redhat.com
>>> https://www.redhat.com/**mailman/listinfo/freeipa-users
>>>
>>>
>>
>> --
>> John Dennis 
>>
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/
>>
>>
>> __**_
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/**mailman/listinfo/freeipa-users
>>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] LDAP authentication for 3rd party

[Simo Sorce]

On Thu, 2013-04-11 at 14:59 -0400, Rob Crittenden wrote:
> Bartek Moczulski wrote:
> > hi,
> > I've got a problem with using IPA as authentication source over LDAP.
> > Generally there are two approaches to LDAP authentication:
> > 1. bind using admin account and read passwords from user objects (but in
> > ipa you cannot read passwords through ldap, right?)
> > 2. "bind to authenticate" - service tries to log in to ldap with user's
> > credentials. If login is successful authentication is also succesful -
> > this approach does not work because you cannot login to IPA ldap using
> > bare username, you need a full LDAP DN.
> >
> > Now, I've got a 3rd party application supporting both mentioned above
> > appoaches and the question is - how to make it work with ipa?
> >
> > thanks in advance,
> 
> We won't do #1. In our opinion it is insecure to share password hashes.
> 
> For #2 AFAIK LDAP simple bind requires a DN. Typically the app does a 
> search on the uid, gets the DN, then attempts a bind.
> 
> I'd be curious to know what LDAP servers your 3rd party app is certified 
> against.

Ad supports simple binds with a username instead of a DN ... yeah not
standard but we might want to support it, we have a pre-bind plugin
after all, so we could if we want to, just a matter of creating a RFE
ticket.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] LDAP authentication for 3rd party

[Peter Brown]

On 12 April 2013 05:04, John Dennis  wrote:

> On 04/11/2013 02:47 PM, Bartek Moczulski wrote:
>
>> hi,
>> I've got a problem with using IPA as authentication source over LDAP.
>> Generally there are two approaches to LDAP authentication:
>> 1. bind using admin account and read passwords from user objects (but in
>> ipa you cannot read passwords through ldap, right?)
>> 2. "bind to authenticate" - service tries to log in to ldap with user's
>> credentials. If login is successful authentication is also succesful -
>> this approach does not work because you cannot login to IPA ldap using
>> bare username, you need a full LDAP DN.
>>
>
> Most applications I know of that do "bind as user" to authenticate also
> permit you to specify a format string into which the user name is inserted
> (i.e. the format string is the dn, e.g. 
> "uid=%u,cn=users,cn=accounts,**dc=example,dc=com")
> -or- they do a search to discover the dn. If you application does not
> support either approach it's broken IMHO.
>

I have used this method for Confluence, Jira, Stash, Icinga and Foreman.
I will be adding more applications in the future as well.
If the application doesn't support Kerberos it's the next best thing in my
opinion.
I have also use it to get email lists into dovecot and postfix.

One caveat I found is you need to tell Atlassian applications that FreeIPA
is a plain OpenLDAP server to get it to work.
Apart from that it works "out of the box" as they say.



>
> Reading passwords and/or password hashes is not supported for security
> reasons.
>
>  Now, I've got a 3rd party application supporting both mentioned above
>> appoaches and the question is - how to make it work with ipa?
>>
>> thanks in advance,
>> Bartek.
>>
>>
>> __**_
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/**mailman/listinfo/freeipa-users
>>
>>
>
> --
> John Dennis 
>
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
> __**_
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/**mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] LDAP authentication for 3rd party

[Rob Crittenden]

Bartek Moczulski wrote:

hi,
I've got a problem with using IPA as authentication source over LDAP.
Generally there are two approaches to LDAP authentication:
1. bind using admin account and read passwords from user objects (but in
ipa you cannot read passwords through ldap, right?)
2. "bind to authenticate" - service tries to log in to ldap with user's
credentials. If login is successful authentication is also succesful -
this approach does not work because you cannot login to IPA ldap using
bare username, you need a full LDAP DN.

Now, I've got a 3rd party application supporting both mentioned above
appoaches and the question is - how to make it work with ipa?

thanks in advance,


We won't do #1. In our opinion it is insecure to share password hashes.

For #2 AFAIK LDAP simple bind requires a DN. Typically the app does a 
search on the uid, gets the DN, then attempts a bind.


I'd be curious to know what LDAP servers your 3rd party app is certified 
against.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] LDAP authentication for 3rd party

[John Dennis]

On 04/11/2013 02:47 PM, Bartek Moczulski wrote:

hi,
I've got a problem with using IPA as authentication source over LDAP.
Generally there are two approaches to LDAP authentication:
1. bind using admin account and read passwords from user objects (but in
ipa you cannot read passwords through ldap, right?)
2. "bind to authenticate" - service tries to log in to ldap with user's
credentials. If login is successful authentication is also succesful -
this approach does not work because you cannot login to IPA ldap using
bare username, you need a full LDAP DN.


Most applications I know of that do "bind as user" to authenticate also 
permit you to specify a format string into which the user name is 
inserted (i.e. the format string is the dn, e.g. 
"uid=%u,cn=users,cn=accounts,dc=example,dc=com") -or- they do a search 
to discover the dn. If you application does not support either approach 
it's broken IMHO.


Reading passwords and/or password hashes is not supported for security 
reasons.



Now, I've got a 3rd party application supporting both mentioned above
appoaches and the question is - how to make it work with ipa?

thanks in advance,
Bartek.


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users




--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users