Is there a way to proxy client LDAP requests to the upstream Active Directory that FreeIPA is configured to trust?
I have AD, where users live. I have FreeIPA / RedHat IdM. And I have servers that are registered to FreeIPA.
But I also have applications (such as Mediawiki, or Red Hat Satellite to name a few) that support LDAP authentication. I want to be able to use my AD credentials to login to Mediawiki or Satellite, but have the application bind to FreeIPA, instead of binding it to AD.
Is this possible?
I currently: Have successfully bound Mediawiki to FreeIPA, and I can login to Mediawiki using an account that is built locally instead of FreeIPA, but I cannot login to Mediawiki using my AD credentials.
----- David White Engineer II, Fiber Systems Engineering (423) 648-1500, Option 2
[/var/folders/7m/l5bzdbz14c9bkrwxvn2ffnjc0000gq/T/com.microsoft.Outlook/WebArchiveCopyPasteTempFiles/cidimage001.jpg@01D4B3F3.F5D81170]
On Mon, Jan 06, 2020 at 05:01:05PM +0000, White, David via FreeIPA-users wrote:
Is there a way to proxy client LDAP requests to the upstream Active Directory that FreeIPA is configured to trust?
I have AD, where users live. I have FreeIPA / RedHat IdM. And I have servers that are registered to FreeIPA.
But I also have applications (such as Mediawiki, or Red Hat Satellite to name a few) that support LDAP authentication. I want to be able to use my AD credentials to login to Mediawiki or Satellite, but have the application bind to FreeIPA, instead of binding it to AD.
Is this possible?
Hi,
you can bind as AD user with the DN of the AD user object from the compat tree, see e.g. https://www.freeipa.org/page/V3/Serving_legacy_clients_for_trusts for details.
HTH
bye, Sumit
I currently: Have successfully bound Mediawiki to FreeIPA, and I can login to Mediawiki using an account that is built locally instead of FreeIPA, but I cannot login to Mediawiki using my AD credentials.
David White Engineer II, Fiber Systems Engineering (423) 648-1500, Option 2
[/var/folders/7m/l5bzdbz14c9bkrwxvn2ffnjc0000gq/T/com.microsoft.Outlook/WebArchiveCopyPasteTempFiles/cidimage001.jpg@01D4B3F3.F5D81170]
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hello, Thanks for your response on this.
you can bind as AD user with the DN of the AD user object from the compat tree
To confirm, are you suggesting that I simply create the service account inside of Active Directory, but still have Mediawiki talk to the IdM server?
Mediawiki takes a json file. The following works perfectly fine when I use an IdM service account. In the below config, `idm.example.com` is a specific node in the IdM cluster.
{ "LDAP": { "connection": { "server": "idm.example.com", "user": "uid=admin,cn=users,cn=compat,dc=example,dc=com", "pass": "REDACTED", "port":"389", "enctype":"clear", "basedn": "dc=example,dc=com", "groupbasedn": "dc=example,dc=com", "userbasedn": "dc=example,dc=com", "searchattribute": "uid", "searchstring": "uid=USER-NAME,cn=users,cn=compat,dc=example,dc=com", "usernameattribute": "uid", "realnameattribute": "cn", "emailattribute": "mail" } } }
When I update this config to talk to AD, I use the same server address, but I change the values as appropriate to match AD's requirements for searchattribute, searchstring, usernameattribute, etc....
I'm still unable to get this to work, but I'm also still troubleshooting, and not giving up. As I continue to troubleshoot, I wanted to respond to this and make sure I'm clear on what you're suggesting.
Thanks again, David
From: Sumit Bose via FreeIPA-users freeipa-users@lists.fedorahosted.org Reply-To: FreeIPA users list freeipa-users@lists.fedorahosted.org Date: Monday, January 6, 2020 at 12:10 PM To: "freeipa-users@lists.fedorahosted.org" freeipa-users@lists.fedorahosted.org Cc: Sumit Bose sbose@redhat.com Subject: [Freeipa-users] Re: Proxy LDAP queries to Active Directory
On Mon, Jan 06, 2020 at 05:01:05PM +0000, White, David via FreeIPA-users wrote: > Is there a way to proxy client LDAP requests to the upstream Active Directory that FreeIPA is configured to trust? > > I have AD, where users live. > I have FreeIPA / RedHat IdM. &
On Mon, Jan 06, 2020 at 05:01:05PM +0000, White, David via FreeIPA-users wrote:
Is there a way to proxy client LDAP requests to the upstream Active Directory that FreeIPA is configured to trust?
I have AD, where users live. I have FreeIPA / RedHat IdM. And I have servers that are registered to FreeIPA.
But I also have applications (such as Mediawiki, or Red Hat Satellite to name a few) that support LDAP authentication. I want to be able to use my AD credentials to login to Mediawiki or Satellite, but have the application bind to FreeIPA, instead of binding it to AD.
Is this possible?
Hi,
you can bind as AD user with the DN of the AD user object from the compat tree, see e.g. https://www.freeipa.org/page/V3/Serving_legacy_clients_for_trusts for details.
HTH
bye, Sumit
I currently: Have successfully bound Mediawiki to FreeIPA, and I can login to Mediawiki using an account that is built locally instead of FreeIPA, but I cannot login to Mediawiki using my AD credentials.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On Tue, Jan 14, 2020 at 03:57:09PM +0000, White, David via FreeIPA-users wrote:
Hello, Thanks for your response on this.
you can bind as AD user with the DN of the AD user object from the compat tree
To confirm, are you suggesting that I simply create the service account inside of Active Directory, but still have Mediawiki talk to the IdM server?
Mediawiki takes a json file. The following works perfectly fine when I use an IdM service account. In the below config, `idm.example.com` is a specific node in the IdM cluster.
{ "LDAP": { "connection": { "server": "idm.example.com", "user": "uid=admin,cn=users,cn=compat,dc=example,dc=com", "pass": "REDACTED", "port":"389", "enctype":"clear", "basedn": "dc=example,dc=com", "groupbasedn": "dc=example,dc=com", "userbasedn": "dc=example,dc=com",
Hi,
you should use the cn=compat DNs as search bases
"groupbasedn": "cn=groups,cn=compat,dc=example,dc=com", "userbasedn": "cn=users,cn=compat,dc=example,dc=com",
"searchattribute": "uid", "searchstring": "uid=USER-NAME,cn=users,cn=compat,dc=example,dc=com",
and here only "searchstring": "USER-NAME",
should be sufficient if you use the fully-qualified name of the AD user when logging in.
HTH
bye, Sumit
"usernameattribute": "uid", "realnameattribute": "cn", "emailattribute": "mail" } }}
When I update this config to talk to AD, I use the same server address, but I change the values as appropriate to match AD's requirements for searchattribute, searchstring, usernameattribute, etc....
I'm still unable to get this to work, but I'm also still troubleshooting, and not giving up. As I continue to troubleshoot, I wanted to respond to this and make sure I'm clear on what you're suggesting.
Thanks again, David
From: Sumit Bose via FreeIPA-users freeipa-users@lists.fedorahosted.org Reply-To: FreeIPA users list freeipa-users@lists.fedorahosted.org Date: Monday, January 6, 2020 at 12:10 PM To: "freeipa-users@lists.fedorahosted.org" freeipa-users@lists.fedorahosted.org Cc: Sumit Bose sbose@redhat.com Subject: [Freeipa-users] Re: Proxy LDAP queries to Active Directory
On Mon, Jan 06, 2020 at 05:01:05PM +0000, White, David via FreeIPA-users wrote: > Is there a way to proxy client LDAP requests to the upstream Active Directory that FreeIPA is configured to trust? > > I have AD, where users live. > I have FreeIPA / RedHat IdM. &
On Mon, Jan 06, 2020 at 05:01:05PM +0000, White, David via FreeIPA-users wrote:
Is there a way to proxy client LDAP requests to the upstream Active Directory that FreeIPA is configured to trust?
I have AD, where users live. I have FreeIPA / RedHat IdM. And I have servers that are registered to FreeIPA.
But I also have applications (such as Mediawiki, or Red Hat Satellite to name a few) that support LDAP authentication. I want to be able to use my AD credentials to login to Mediawiki or Satellite, but have the application bind to FreeIPA, instead of binding it to AD.
Is this possible?
Hi,
you can bind as AD user with the DN of the AD user object from the compat tree, see e.g. https://www.freeipa.org/page/V3/Serving_legacy_clients_for_trusts for details.
HTH
bye, Sumit
I currently: Have successfully bound Mediawiki to FreeIPA, and I can login to Mediawiki using an account that is built locally instead of FreeIPA, but I cannot login to Mediawiki using my AD credentials.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi,
you should use the cn=compat DNs as search bases
"groupbasedn": "cn=groups,cn=compat,dc=example,dc=com", "userbasedn": "cn=users,cn=compat,dc=example,dc=com",
"searchattribute": "uid", "searchstring": "uid=USER-NAME,cn=users,cn=compat,dc=example,dc=com",
and here only "searchstring": "USER-NAME",
should be sufficient if you use the fully-qualified name of the AD user when logging in.
Thank you for this. Unfortunately, I think I'm still missing something, as it doesn't appear to me that any ldap (389/tcp) traffic is leaving IdM and going to Active Directory, when a ldap request comes in from Mediawiki with Active Directory credentials.
With the below configuration, if I run tcpdump watching port 389 on the idm.example.com node below, I only see traffic coming to and from the IdM server. I don't see any traffic to or from the IdM server to Active Directory.
Furthermore, in /var/log/dirsrv/slapd-EXAMPLE-COM/access.log, I see: [17/Jan/2020:15:07:21.554948001 -0500] conn=3015 fd=137 slot=137 connection from 192.168.239.30 to 172.30.50.2 [17/Jan/2020:15:07:21.555400106 -0500] conn=3015 op=0 BIND dn="EXAMPLE\svc_wiki,ou=MediaWiki,ou=Applications,ou=Network Groups,dc=example,dc=com" authzid="(null)", invalid bind dn [17/Jan/2020:15:07:21.555446320 -0500] conn=3015 op=0 RESULT err=34 tag=97 nentries=0 etime=0.0000431413
I see similar log entries based on the user syntax below, i.e. EXAMPLE\svc_wiki, svc_wiki@example.com, etc...)
My Mediawiki config is currently as follows. I've added the comments below for your information, the comments are not actually a part of the file:
"server": "idm.example.com", # A single IdM Node "user": "cn=svc_wiki,ou=MediaWiki,ou=Applications,ou=Network Groups,dc=example,dc=com", #svc_wiki is a service account in AD. I have also tried setting cn=EXAMPLE\svc_wiki, as well as cn=svc_wiki@example.com "pass": "REDACTED", "port":"389", "enctype":"clear", "basedn": "dc=example,dc=com", "groupbasedn": "cn=groups,cn=compat,dc=example,dc=com", "userbasedn": "cn=users,cn=compat,dc=example,dc=com", "searchattribute": "sAMAccountName", # I have also tried uid "searchstring": "USER-NAME", # I have also tried EXAMPLE\USER-NAME "usernameattribute": "sAMAccountName", # I have also tried uid "realnameattribute": "cn", "emailattribute": "mail"
----- David White Engineer II, Fiber Systems Engineering
From: Sumit Bose sbose@redhat.com Date: Tuesday, January 14, 2020 at 11:18 AM To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: "White, David" whitedm@epb.net Subject: Re: [Freeipa-users] Re: Proxy LDAP queries to Active Directory
On Tue, Jan 14, 2020 at 03:57:09PM +0000, White, David via FreeIPA-users wrote:
Hello, Thanks for your response on this.
you can bind as AD user with the DN of the AD user object from the compat tree
To confirm, are you suggesting that I simply create the service account inside of Active Directory, but still have Mediawiki talk to the IdM server?
Mediawiki takes a json file. The following works perfectly fine when I use an IdM service account. In the below config, `idm.example.com` is a specific node in the IdM cluster.
{ "LDAP": { "connection": { "server": "idm.example.com", "user": "uid=admin,cn=users,cn=compat,dc=example,dc=com", "pass": "REDACTED", "port":"389", "enctype":"clear", "basedn": "dc=example,dc=com", "groupbasedn": "dc=example,dc=com", "userbasedn": "dc=example,dc=com",
Hi,
you should use the cn=compat DNs as search bases
"groupbasedn": "cn=groups,cn=compat,dc=example,dc=com", "userbasedn": "cn=users,cn=compat,dc=example,dc=com",
"searchattribute": "uid", "searchstring": "uid=USER-NAME,cn=users,cn=compat,dc=example,dc=com",
and here only "searchstring": "USER-NAME",
should be sufficient if you use the fully-qualified name of the AD user when logging in.
HTH
bye, Sumit
"usernameattribute": "uid", "realnameattribute": "cn", "emailattribute": "mail" } } }
When I update this config to talk to AD, I use the same server address, but I change the values as appropriate to match AD's requirements for searchattribute, searchstring, usernameattribute, etc....
I'm still unable to get this to work, but I'm also still troubleshooting, and not giving up. As I continue to troubleshoot, I wanted to respond to this and make sure I'm clear on what you're suggesting.
Thanks again, David
From: Sumit Bose via FreeIPA-users freeipa-users@lists.fedorahosted.org Reply-To: FreeIPA users list freeipa-users@lists.fedorahosted.org Date: Monday, January 6, 2020 at 12:10 PM To: "freeipa-users@lists.fedorahosted.org" freeipa-users@lists.fedorahosted.org Cc: Sumit Bose sbose@redhat.com Subject: [Freeipa-users] Re: Proxy LDAP queries to Active Directory
On Mon, Jan 06, 2020 at 05:01:05PM +0000, White, David via FreeIPA-users wrote: > Is there a way to proxy client LDAP requests to the upstream Active Directory that FreeIPA is configured to trust? > > I have AD, where users live. > I have FreeIPA / RedHat IdM. &
On Mon, Jan 06, 2020 at 05:01:05PM +0000, White, David via FreeIPA-users wrote:
Is there a way to proxy client LDAP requests to the upstream Active Directory that FreeIPA is configured to trust?
I have AD, where users live. I have FreeIPA / RedHat IdM. And I have servers that are registered to FreeIPA.
But I also have applications (such as Mediawiki, or Red Hat Satellite to name a few) that support LDAP authentication. I want to be able to use my AD credentials to login to Mediawiki or Satellite, but have the application bind to FreeIPA, instead of binding it to AD.
Is this possible?
Hi,
you can bind as AD user with the DN of the AD user object from the compat tree, see e.g. https://www.freeipa.org/page/V3/Serving_legacy_clients_for_trusts for details.
HTH
bye, Sumit
I currently: Have successfully bound Mediawiki to FreeIPA, and I can login to Mediawiki using an account that is built locally instead of FreeIPA, but I cannot login to Mediawiki using my AD credentials.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org
-
Sumit Bose -
White, David