Hello,
I am trying to bind to ldap as a service account. I followed the advice in
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
and created a plain text password using ipa-getkeytab
ipa-getkeytab -s ipa.ennexa.org -p HTTP/service.domain.tld@EXAMPLE.COM -P -k /tmp/test.keytab
But when I try to bind with the same password, it is failing
ldapsearch -D krbprincipalname=HTTP/service.domain.tld@EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com -w "MY_PLAIN_TEXT_PASSWORD" -b cn=groups,cn=accounts,dc=example,dc=com -h ipa.example.com:389 ldap_bind: Inappropriate authentication (48)
Do I have to configure anything else?
Thanks & Regards, Joyce Babu
On ma, 11 marras 2019, Joyce Babu via FreeIPA-users wrote:
Hello,
I am trying to bind to ldap as a service account. I followed the advice in
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
and created a plain text password using ipa-getkeytab
ipa-getkeytab -s ipa.ennexa.org -p HTTP/service.domain.tld@EXAMPLE.COM -P -k /tmp/test.keytab
But when I try to bind with the same password, it is failing
ldapsearch -D krbprincipalname=HTTP/service.domain.tld@EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com -w "MY_PLAIN_TEXT_PASSWORD" -b cn=groups,cn=accounts,dc=example,dc=com -h ipa.example.com:389 ldap_bind: Inappropriate authentication (48)
Do I have to configure anything else?
Kerberos services do not have userPassword attribute set on them when their key is set via ipa-getkeytab. Thus, 389-ds rejects authentication because it cannot compute and compare hashes out of the password you passed with simple LDAP bind.
Please use SASL GSSAPI or SASL GSS-SPNEGO to authenticate, not simple bind.
On 11/11/19 11:53 AM, Joyce Babu via FreeIPA-users wrote:
Hello,
I am trying to bind to ldap as a service account. I followed the advice in
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
and created a plain text password using ipa-getkeytab
ipa-getkeytab -s ipa.ennexa.org http://ipa.ennexa.org/ -p HTTP/service.domain.tld@EXAMPLE.COM mailto:service.domain.tld@EXAMPLE.COM -P -k /tmp/test.keytab
But when I try to bind with the same password, it is failing
As you created a keytab, you can use this keytab to obtain a TGT and then GSSAPI to bind using the ticket:
kinit -kt /tmp/test.keytab HTTP/service.domain.tld@EXAMPLE.COM ldapsearch -Y GSSAPI -b cn=groups,cn=accounts,dc=example,dc=com
flo
ldapsearch -D krbprincipalname=HTTP/service.domain.tld@EXAMPLE.COM mailto:service.domain.tld@EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com -w "MY_PLAIN_TEXT_PASSWORD" -b cn=groups,cn=accounts,dc=example,dc=com -h ipa.example.com:389 http://ipa.example.com:389/ ldap_bind: Inappropriate authentication (48)
Do I have to configure anything else?
Thanks & Regards, Joyce Babu
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Florence Blanc-Renaud -
Joyce Babu