Re: [Freeipa-users] Trying To Connect FreeIPA with OKTA/OneLogin/Bitium

2014-08-14 Thread Dmitri Pal 

On 08/12/2014 05:26 PM, Chris Whittle wrote:

Thanks Martin!


Thank you for the contribution!
Really appreciated.




On Tue, Aug 12, 2014 at 9:50 AM, Martin Kosek > wrote:


Thank you! I liked this page to
http://www.freeipa.org/page/HowTos#Authentication
and also improved formatting of the page. I am not sure about the
"role"
section though, we do not use "role" objectclass, so Okta's search
probably
returns no results anyway. It may be better to keep that blank IMO.

Martin

On 08/12/2014 03:46 PM, Chris Whittle wrote:
> http://www.freeipa.org/page/HowTo/Integrate_With_Okta
>
>
> On Sat, Aug 9, 2014 at 11:31 PM, Dmitri Pal mailto:d...@redhat.com>> wrote:
>
>>  On 08/08/2014 04:26 PM, Chris Whittle wrote:
>>
>> Hey Dimitri, What do you mean?  Both of them gave me the same
answer and
>> it worked.
>>
>>
>> Right, now you have the knowledge which is burred in a mail
thread and
>> would be hard to find for others that might want to follow your
steps.
>> I was hoping you would find some time to summarize your setup and
>> experience and share with others via a HOWTO page on the
FreeIPA site [1].
>>
>> [1] http://www.freeipa.org/page/HowTos
>>
>> Thanks
>> Dmitri
>>
>>
>>  On Aug 8, 2014 3:25 PM, "Dmitri Pal" mailto:d...@redhat.com>> wrote:
>>
>>>  On 08/07/2014 02:21 PM, Chris Whittle wrote:
>>>
>>> Thanks guys that works!
>>>
>>>
>>>
>>> And what about HOWTO? ;-)
>>>
>>>
>>>
>>>
>>> On Thu, Aug 7, 2014 at 12:22 PM, Lucas Yamanishi
mailto:lyamani...@sesda3.com>>
>>> wrote:
>>>
   On 08/07/2014 12:18 PM, Chris Whittle wrote:

 I'm currently working on a trial with OKTA and have installed
their
 server agent with no issues.  Now I'm trying to map FreeIPA
attributes with
 OKTA's

  I'm getting no entries found, which leads me to think I'm
missing
 something
 [image: Inline image 1]
  [image: Inline image 2]
  [image: Inline image 3]
  Thanks!


   The objectClass values look incorrect. Try posixAccount and
posixGroup
 for users and groups. Roles are groupOfNames, but that’s a
little less
 specific and will match non-role entries without a search base.

 You can easily look up raw entries to check your mappings
with commands
 like these (the —all and —raw options are available for all
*-show
 commands, afaik):

 ipa user-show --all --raw $USER_NAME
 ipa group-show --all  --raw $GROUP
 ipa role-show --all --raw $ROLE

 Or pure ldaputils:

  ldapsearch -LLL -YGSSAPI -b
'cn=users,cn=accounts,dc=example,dc=com' 'uid=$USER_NAME'

 ​

 --
 -
 *question everything*learn something*answer nothing*
 
 Lucas Yamanishi
 --
 Systems Administrator, ADNET Systems, Inc.
 NASA Space and Earth Science Data Analysis (606.9)
 7515 Mission Drive, Suite A100
 Lanham, MD 20706 * 301-352-4646 * 0xD354B2CB


 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project

>>>
>>>
>>>
>>>
>>>
>>> --
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager IdM portfolio
>>> Red Hat, Inc.
>>>
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go To http://freeipa.org for more info on the project
>>>
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>>
>
>
>





--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Trying To Connect FreeIPA with OKTA/OneLogin/Bitium

2014-08-12 Thread Chris Whittle 
Thanks Martin!


On Tue, Aug 12, 2014 at 9:50 AM, Martin Kosek  wrote:

> Thank you! I liked this page to
> http://www.freeipa.org/page/HowTos#Authentication
> and also improved formatting of the page. I am not sure about the "role"
> section though, we do not use "role" objectclass, so Okta's search probably
> returns no results anyway. It may be better to keep that blank IMO.
>
> Martin
>
> On 08/12/2014 03:46 PM, Chris Whittle wrote:
> > http://www.freeipa.org/page/HowTo/Integrate_With_Okta
> >
> >
> > On Sat, Aug 9, 2014 at 11:31 PM, Dmitri Pal  wrote:
> >
> >>  On 08/08/2014 04:26 PM, Chris Whittle wrote:
> >>
> >> Hey Dimitri, What do you mean?  Both of them gave me the same answer and
> >> it worked.
> >>
> >>
> >> Right, now you have the knowledge which is burred in a mail thread and
> >> would be hard to find for others that might want to follow your steps.
> >> I was hoping you would find some time to summarize your setup and
> >> experience and share with others via a HOWTO page on the FreeIPA site
> [1].
> >>
> >> [1] http://www.freeipa.org/page/HowTos
> >>
> >> Thanks
> >> Dmitri
> >>
> >>
> >>  On Aug 8, 2014 3:25 PM, "Dmitri Pal"  wrote:
> >>
> >>>  On 08/07/2014 02:21 PM, Chris Whittle wrote:
> >>>
> >>> Thanks guys that works!
> >>>
> >>>
> >>>
> >>> And what about HOWTO? ;-)
> >>>
> >>>
> >>>
> >>>
> >>> On Thu, Aug 7, 2014 at 12:22 PM, Lucas Yamanishi <
> lyamani...@sesda3.com>
> >>> wrote:
> >>>
>    On 08/07/2014 12:18 PM, Chris Whittle wrote:
> 
>  I'm currently working on a trial with OKTA and have installed their
>  server agent with no issues.  Now I'm trying to map FreeIPA
> attributes with
>  OKTA's
> 
>   I'm getting no entries found, which leads me to think I'm missing
>  something
>  [image: Inline image 1]
>   [image: Inline image 2]
>   [image: Inline image 3]
>   Thanks!
> 
> 
>    The objectClass values look incorrect. Try posixAccount and
> posixGroup
>  for users and groups. Roles are groupOfNames, but that’s a little less
>  specific and will match non-role entries without a search base.
> 
>  You can easily look up raw entries to check your mappings with
> commands
>  like these (the —all and —raw options are available for all *-show
>  commands, afaik):
> 
>  ipa user-show --all --raw $USER_NAME
>  ipa group-show --all  --raw $GROUP
>  ipa role-show --all --raw $ROLE
> 
>  Or pure ldaputils:
> 
>   ldapsearch -LLL -YGSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com'
> 'uid=$USER_NAME'
> 
>  ​
> 
>  --
>  -
>  *question everything*learn something*answer nothing*
>  
>  Lucas Yamanishi
>  --
>  Systems Administrator, ADNET Systems, Inc.
>  NASA Space and Earth Science Data Analysis (606.9)
>  7515 Mission Drive, Suite A100
>  Lanham, MD 20706 * 301-352-4646 * 0xD354B2CB
> 
> 
>  --
>  Manage your subscription for the Freeipa-users mailing list:
>  https://www.redhat.com/mailman/listinfo/freeipa-users
>  Go To http://freeipa.org for more info on the project
> 
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> --
> >>> Thank you,
> >>> Dmitri Pal
> >>>
> >>> Sr. Engineering Manager IdM portfolio
> >>> Red Hat, Inc.
> >>>
> >>>
> >>> --
> >>> Manage your subscription for the Freeipa-users mailing list:
> >>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>> Go To http://freeipa.org for more info on the project
> >>>
> >>
> >>
> >> --
> >> Thank you,
> >> Dmitri Pal
> >>
> >> Sr. Engineering Manager IdM portfolio
> >> Red Hat, Inc.
> >>
> >>
> >
> >
> >
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Trying To Connect FreeIPA with OKTA/OneLogin/Bitium

2014-08-12 Thread Martin Kosek 
Thank you! I liked this page to
http://www.freeipa.org/page/HowTos#Authentication
and also improved formatting of the page. I am not sure about the "role"
section though, we do not use "role" objectclass, so Okta's search probably
returns no results anyway. It may be better to keep that blank IMO.

Martin

On 08/12/2014 03:46 PM, Chris Whittle wrote:
> http://www.freeipa.org/page/HowTo/Integrate_With_Okta
> 
> 
> On Sat, Aug 9, 2014 at 11:31 PM, Dmitri Pal  wrote:
> 
>>  On 08/08/2014 04:26 PM, Chris Whittle wrote:
>>
>> Hey Dimitri, What do you mean?  Both of them gave me the same answer and
>> it worked.
>>
>>
>> Right, now you have the knowledge which is burred in a mail thread and
>> would be hard to find for others that might want to follow your steps.
>> I was hoping you would find some time to summarize your setup and
>> experience and share with others via a HOWTO page on the FreeIPA site [1].
>>
>> [1] http://www.freeipa.org/page/HowTos
>>
>> Thanks
>> Dmitri
>>
>>
>>  On Aug 8, 2014 3:25 PM, "Dmitri Pal"  wrote:
>>
>>>  On 08/07/2014 02:21 PM, Chris Whittle wrote:
>>>
>>> Thanks guys that works!
>>>
>>>
>>>
>>> And what about HOWTO? ;-)
>>>
>>>
>>>
>>>
>>> On Thu, Aug 7, 2014 at 12:22 PM, Lucas Yamanishi 
>>> wrote:
>>>
   On 08/07/2014 12:18 PM, Chris Whittle wrote:

 I'm currently working on a trial with OKTA and have installed their
 server agent with no issues.  Now I'm trying to map FreeIPA attributes with
 OKTA's

  I'm getting no entries found, which leads me to think I'm missing
 something
 [image: Inline image 1]
  [image: Inline image 2]
  [image: Inline image 3]
  Thanks!


   The objectClass values look incorrect. Try posixAccount and posixGroup
 for users and groups. Roles are groupOfNames, but that’s a little less
 specific and will match non-role entries without a search base.

 You can easily look up raw entries to check your mappings with commands
 like these (the —all and —raw options are available for all *-show
 commands, afaik):

 ipa user-show --all --raw $USER_NAME
 ipa group-show --all  --raw $GROUP
 ipa role-show --all --raw $ROLE

 Or pure ldaputils:

  ldapsearch -LLL -YGSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com' 
 'uid=$USER_NAME'

 ​

 --
 -
 *question everything*learn something*answer nothing*
 
 Lucas Yamanishi
 --
 Systems Administrator, ADNET Systems, Inc.
 NASA Space and Earth Science Data Analysis (606.9)
 7515 Mission Drive, Suite A100
 Lanham, MD 20706 * 301-352-4646 * 0xD354B2CB


 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project

>>>
>>>
>>>
>>>
>>>
>>> --
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager IdM portfolio
>>> Red Hat, Inc.
>>>
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go To http://freeipa.org for more info on the project
>>>
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>>
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Trying To Connect FreeIPA with OKTA/OneLogin/Bitium

2014-08-07 Thread Rob Crittenden 
Chris Whittle wrote:
> I'm currently working on a trial with OKTA and have installed their
> server agent with no issues.  Now I'm trying to map FreeIPA attributes
> with OKTA's 
> 
> I'm getting no entries found, which leads me to think I'm missing something
> Inline image 1
> Inline image 2
> Inline image 3
> Thanks!
> 
> 

Try these changes:

User

Unique Identifier Attribute: ipaUniqueID

Object Class: posixAccount

Password Attribute: userPassword

Group

Object Class: posixGroup

I don't think their Role maps directly with our Role, not sure you
should try. You may need to define a new area in the DIT for this.

Otherwise the settings look correct to me.

Once you get something working it would be great if you could write
something on on our Wiki about it under http://www.freeipa.org/page/HowTos

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project