Hello Rob 2016-05-12 0:06 GMT+02:00 Rob Crittenden <[email protected]>: > > Alexander Skwar wrote:
>> The WAF would then send username and password to FreeIPA (using LDAP) >> and would need to get back, whether the combination was good or not. >> >> Is that scenario doable with FreeIPA and LDAP? Would anyone maybe even >> know of some good howtos or links? Any gotchas, that we'd need to be >> aware of? > > > Yes it's possible, see http://www.freeipa.org/page/HowTo/LDAP > I created the user uid=system as shown in the howto. But my appliance is having issues (so to say). I'm getting errors like this one: […] 2016-05-18 14:55:35,003 +0200 ERROR [CC:Eoyfcf1mV9E$] [RC:7f0100-4094-2016.05.18_1255.33.733-001] audit:writeLog() - [AUDIT] [USER_AUTH_FAILED_TECH] user="ask" logmsg="Authentication failed due to a technical problem. Reason: '[SYSTEM] [ERR_INTERNAL_STATE] Invalid internal state! Reason: 'cn=users,cn=accounts,dc=hydrus,dc=intern@ldaps://192.168.94.147:636' / cn=users,cn=accounts,dc=hydrus,dc=intern@ldaps://192.168.94.147:636 / javax.naming.AuthenticationNotSupportedException: [LDAP: error code 48 - Inappropriate Authentication]'" 2016-05-18 14:55:35,006 +0200 ERROR [CC:Eoyfcf1mV9E$] [RC:7f0100-4094-2016.05.18_1255.33.733-001] exception:logExceptionStackTrace() - [SYSTEM] [ERR_INTERNAL_STATE] Invalid internal state! Reason: 'cn=users,cn=accounts,dc=hydrus,dc=intern@ldaps://192.168.94.147:636' com.usp.sls.toolkit.error.SLSException: [SYSTEM] [ERR_INTERNAL_STATE] Invalid internal state! Reason: 'cn=users,cn=accounts,dc=hydrus,dc=intern@ldaps://192.168.94.147:636' at com.usp.sls.ldap.adapter.LdapUtil.getSLSException(LdapUtil.java:410) at com.usp.sls.ldap.service.LDAPServiceWrapper.openContext(LDAPServiceWrapper.java:203) […] Important parts here: - [USER_AUTH_FAILED_TECH] - javax.naming.AuthenticationNotSupportedException: [LDAP: error code 48 - Inappropriate Authentication] I suppose, the "tech" user doesn't have the sufficient rights. In the Howto, it says: Note: IPA 4.0 is going to change the default stance on data from nearly everything is readable to nothing is readable, by default. You will eventually need to add some Access Control Instructions (ACI's) to grant read access to the parts of the LDAP tree you will need. What would be good ACIs to grant read access to cn=users,cn=accounts,dc=hydrus,dc=intern to this uid=system user? Thanks again, Alexander -- => Google+ => http://plus.skwar.me <== => Chat (Jabber/Google Talk) => [email protected] <== -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
