Re: [Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications
Hi! On Thu, Sep 12, 2013 at 3:28 PM, Martin Kosek mko...@redhat.com wrote: When using FreeIPA LDAP as identity source, you could ideally use Kerberos/GSSAPI authentication. But if that is not available, you can use simple LDAP binds too. You cannot read the hash codes unless you are cn=Directory Manager (or unless you set ACI allowing that, but this is very unsecure). Could you please elaborate on using simple LDAP binds? Thanks for the detailed example! Best regards, Thomas -- Thomas Raehalme CTO, teknologiajohtaja Mobile +358 40 545 0605 Codecenter Oy Väinönkatu 26 A, 4th Floor 40100 JYVÄSKYLÄ, Finland Tel. +358 10 322 0040 www.codecenter.fi Codecenter - Tietojärjestelmiä ymmärrettävästi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications
On Thu, Sep 12, 2013 at 03:54:59PM +0300, Thomas Raehalme wrote: Hi! On Thu, Sep 12, 2013 at 3:28 PM, Martin Kosek mko...@redhat.com wrote: When using FreeIPA LDAP as identity source, you could ideally use Kerberos/GSSAPI authentication. But if that is not available, you can use simple LDAP binds too. You cannot read the hash codes unless you are cn=Directory Manager (or unless you set ACI allowing that, but this is very unsecure). Could you please elaborate on using simple LDAP binds? Thanks for the detailed example! simple bind == with a password. The simple bind has two components - the DN to bind as and a password. See the example Martin posted. The ldapadd command there authenticates using DN cn=Directory Manager and Martin was kind enough to also show how a password can be provided. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications
A simple bind would be using a user/password combination to access LDAP. An example of a simple bind in an ldapsearch would look something like: # ldapsearch -x -h ldap.example.com -D uid=user1,ou=people,dc=example,dc=com -w password -b dc=example,dc=com You can see how we are using -x (simple bind) and then -D (who to bind with?) and then -w (password) to access the LDAP database on ldap.example.com. HTH, Chris - Original Message - From: Thomas Raehalme thomas.raeha...@codecenter.fi To: Martin Kosek mko...@redhat.com Cc: freeipa-users@redhat.com Sent: Thursday, September 12, 2013 8:54:59 AM Subject: Re: [Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications Hi! On Thu, Sep 12, 2013 at 3:28 PM, Martin Kosek mko...@redhat.com wrote: When using FreeIPA LDAP as identity source, you could ideally use Kerberos/GSSAPI authentication. But if that is not available, you can use simple LDAP binds too. You cannot read the hash codes unless you are cn=Directory Manager (or unless you set ACI allowing that, but this is very unsecure). Could you please elaborate on using simple LDAP binds? Thanks for the detailed example! Best regards, Thomas -- Thomas Raehalme CTO, teknologiajohtaja Mobile +358 40 545 0605 Codecenter Oy Väinönkatu 26 A, 4th Floor 40100 JYVÄSKYLÄ, Finland Tel. +358 10 322 0040 www.codecenter.fi Codecenter - Tietojärjestelmiä ymmärrettävästi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications
Hi! On Thu, Sep 12, 2013 at 4:33 PM, Martin Kosek mko...@redhat.com wrote: Well, LDAP is the data backend for all FreeIPA identity data, you can certainly use plain LDAP binds with them (though Kerberos/GSSAPI auth is preferred). # ldapsearch -h `hostname` -D uid=jdoe,cn=users,cn=accounts,dc=example,dc=com -x -w xO3xs5yOv,dL -b -s base Now I got it working. I didn't remember to use dn to login, so no wonder it didn't work :-) Thank you for all your help! Best regards, Thomas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications
On 09/12/2013 08:29 PM, Thomas Raehalme wrote: Hi! On Thu, Sep 12, 2013 at 4:33 PM, Martin Kosek mko...@redhat.com wrote: Well, LDAP is the data backend for all FreeIPA identity data, you can certainly use plain LDAP binds with them (though Kerberos/GSSAPI auth is preferred). # ldapsearch -h `hostname` -D uid=jdoe,cn=users,cn=accounts,dc=example,dc=com -x -w xO3xs5yOv,dL -b -s base Now I got it working. I didn't remember to use dn to login, so no wonder it didn't work :-) Thank you for all your help! Best regards, Thomas Good! I am glad I could help :-) Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications
Hi! On Thu, Sep 12, 2013 at 4:06 PM, Martin Kosek mko...@redhat.com wrote: I was just referring to fact, that when a system or application uses LDAP as an identity and authentication source, it often use simple LDAP Bind operation (i.e. accessing LDAP with user+password or) when testing if the user accessing the application provided the right credentials. Yes, that's true at least for some applications. Does the LDAP in FreeIPA allow that kind of login by default for IPA users? If not, is it possible to enable it somehow? Best regards, Thomas Raehalme -- Thomas Raehalme CTO, teknologiajohtaja Mobile +358 40 545 0605 Codecenter Oy Väinönkatu 26 A, 4th Floor 40100 JYVÄSKYLÄ, Finland Tel. +358 10 322 0040 www.codecenter.fi Codecenter - Tietojärjestelmiä ymmärrettävästi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications
On Thu, Sep 12, 2013 at 04:18:49PM +0300, Thomas Raehalme wrote: Hi! On Thu, Sep 12, 2013 at 4:06 PM, Martin Kosek mko...@redhat.com wrote: I was just referring to fact, that when a system or application uses LDAP as an identity and authentication source, it often use simple LDAP Bind operation (i.e. accessing LDAP with user+password or) when testing if the user accessing the application provided the right credentials. Yes, that's true at least for some applications. Does the LDAP in FreeIPA allow that kind of login by default for IPA users? If not, is it possible to enable it somehow? Best regards, Thomas Raehalme The simple binds should be enabled by default in IPA. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications
On 09/12/2013 01:46 PM, Thomas Raehalme wrote: Hi, Previously we have used Atlassian Crowd as a source for user data in various applications, both in-house built and proprietary such as JIRA or Confluence. As we have deployed FreeIPA, I would like to start using it as the identity source. Unfortunately using Kerberos is not always possible so I am thinking about LDAP which often is an option in 3rd party applicaitons. Anonymous access to the FreeIPA LDAP is enabled by default. Is it possible to configure username/password to access the information? Currently vSphere has a problem with anonymous access to LDAP not working as intended. Ofcourse it would be nice to be able to restrict access anyways. If using FreeIPA LDAP as the identity source, how should authentication be handled? Is it possible to read the hash code for passwords? Is it possible to authenticate against the LDAP service? Any advice appreciated! Best regards, Thomas When using FreeIPA LDAP as identity source, you could ideally use Kerberos/GSSAPI authentication. But if that is not available, you can use simple LDAP binds too. You cannot read the hash codes unless you are cn=Directory Manager (or unless you set ACI allowing that, but this is very unsecure). If you do not want to access the LDAP anonymously and you do not want to use a full IPA user for that (added via ipa user-add), you can manually add a system user and use that for binding to LDAP: # ldapadd -h `hostname` -D cn=Directory Manager -x -w kokos123 dn: uid=vsphere,cn=sysaccounts,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com objectClass: account objectClass: simplesecurityobject objectClass: top uid: vsphere userPassword: SuperSecretPassword adding new entry uid=vsphere,cn=sysaccounts,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com HTH, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications
On 09/12/2013 02:54 PM, Thomas Raehalme wrote: Hi! On Thu, Sep 12, 2013 at 3:28 PM, Martin Kosek mko...@redhat.com wrote: When using FreeIPA LDAP as identity source, you could ideally use Kerberos/GSSAPI authentication. But if that is not available, you can use simple LDAP binds too. You cannot read the hash codes unless you are cn=Directory Manager (or unless you set ACI allowing that, but this is very unsecure). Could you please elaborate on using simple LDAP binds? I was just referring to fact, that when a system or application uses LDAP as an identity and authentication source, it often use simple LDAP Bind operation (i.e. accessing LDAP with user+password or) when testing if the user accessing the application provided the right credentials. I am no expert on how you configure that with vSphere or similar, but if it supports general LDAP as an identity/authentication source, it should also work with FreeIPA. I found some doc where may be relevant: http://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-B23B1360-8838-4FF2-B074-71643C4CB040.html Maybe other users are capable of giving more detailed answer with respect to vSphere. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications
On 09/12/2013 03:18 PM, Thomas Raehalme wrote: Hi! On Thu, Sep 12, 2013 at 4:06 PM, Martin Kosek mko...@redhat.com wrote: I was just referring to fact, that when a system or application uses LDAP as an identity and authentication source, it often use simple LDAP Bind operation (i.e. accessing LDAP with user+password or) when testing if the user accessing the application provided the right credentials. Yes, that's true at least for some applications. Does the LDAP in FreeIPA allow that kind of login by default for IPA users? If not, is it possible to enable it somehow? Best regards, Thomas Raehalme Well, LDAP is the data backend for all FreeIPA identity data, you can certainly use plain LDAP binds with them (though Kerberos/GSSAPI auth is preferred). See an example when I add a new IPA user and do LDAP bind with his credentials: # ipa user-add --first=John --last=Doe jdoe --random - Added user jdoe - User login: jdoe First name: John Last name: Doe Full name: John Doe Display name: John Doe Initials: JD Home directory: /home/jdoe GECOS: John Doe Login shell: /bin/sh Kerberos principal: j...@example.com Email address: j...@example.com Random password: xO3xs5yOv,dL UID: 47066 GID: 47066 Password: True Member of groups: ipausers Kerberos keys available: True # ldapsearch -h `hostname` -D uid=jdoe,cn=users,cn=accounts,dc=example,dc=com -x -w xO3xs5yOv,dL -b -s base # extended LDIF # # LDAPv3 # base with scope baseObject # filter: (objectclass=*) # requesting: ALL # # dn: objectClass: top ... Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications
On Thu, Sep 12, 2013 at 02:28:45PM +0200, Martin Kosek wrote: # ldapadd -h `hostname` -D cn=Directory Manager -x -w kokos123 ^^ 0wn3d :-) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users