That's great news. Thanks for closing the loop and providing the config!
rob
White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote:
I finally fixed it.
Here's what I did:
<userSearch>
<base> uid={0} </base>
<baseContextDN> cn=users,cn=accounts,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG
</baseContextDN >
</userSearch>
|<roleSearch>|
|<roleBase> |member|={1} </roleBase>|
|<|roleContextDN> cn=nnmi_access,cn=groups,cn=accounts,
dc=PROJECT,dc=EXAMPLE,dc=ORG <roleContextDN>
|</roleSearch>|
And, would you believe, it makes a huge difference when the bindCredentialis NOT
COMMENTED OUT !!
I discovered it by running ldapsearch by hand to try for access log
outputs identical to the ones produced by the application.
Thanks again for your help.
*______________________________________________________________________________________________*
**
*Daniel E. White**
**daniel.e.white(a)nasa.gov <mailto:daniel.e.white@nasa.gov>***
*NICS Linux Engineer
NASA Goddard Space Flight Center
8800 Greenbelt Road
Building 14, Room E175
Greenbelt, MD 20771***
*Office: (301) 286-6919***
*Mobile: (240) 513-5290*
*From: *"White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users"
<freeipa-users(a)lists.fedorahosted.org>
*Reply-To: *FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
*Date: *Friday, December 6, 2019 at 10:22
*To: *Rob Crittenden <rcritten(a)redhat.com>, FreeIPA users list
<freeipa-users(a)lists.fedorahosted.org>
*Cc: *Daniel White <daniel.e.white(a)nasa.gov>
*Subject: *[Freeipa-users] Re: [EXTERNAL] Re: Anyone using FreeIPA/IdM
and MicroFocus Network Automation ?
I agree with your response:
user search base="cn=users,cn=accounts,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG"
group search base = " cn=nnmi_access,cn=groups,cn=accounts,
dc=PROJECT,dc=EXAMPLE,dc=ORG"
AND change the roleBase from member to memberOf
**
This is based on the results of tinkering with ldapsearch queries,
trying the various base strings and field names.
Sadly, I cannot try this new info until Monday as the guy in charge of
that server is out today and I promised not to tinker without
permission/approval ☹
Anyway, many thanks for your responses, Rob.
I think I am close to The Answer ! (42, right ?)
*______________________________________________________________________________________________*
**
*Daniel E. White
daniel.e.white(a)nasa.gov <mailto:daniel.e.white@nasa.gov>*
*NICS Linux Engineer
NASA Goddard Space Flight Center
8800 Greenbelt Road
Building 14, Room E175
Greenbelt, MD 20771*
*Office: (301) 286-6919*
*Mobile: (240) 513-5290*
*From: *Rob Crittenden <rcritten(a)redhat.com>
*Date: *Friday, December 6, 2019 at 10:07
*To: *Daniel White <daniel.e.white(a)nasa.gov>, FreeIPA users list
<freeipa-users(a)lists.fedorahosted.org>
*Subject: *Re: [EXTERNAL] Re: [Freeipa-users] Anyone using FreeIPA/IdM
and MicroFocus Network Automation ?
White, Daniel E. (GSFC-770.0)[NICS] wrote:
We set roleContextDN to cn=nnmi-access
And it still barfs, but I found stuff in the access log file: (redacted
a bit)
[06/Dec/2019:12:49:18.055641820 +0000] conn=2805 fd=110 slot=110
connection from NNMi-Server to IdM-Server
[06/Dec/2019:12:49:18.055983514 +0000] conn=2805 op=0 BIND dn=""
method=128 version=3
[06/Dec/2019:12:49:18.056068589 +0000] conn=2805 op=0 RESULT err=0
tag=97 nentries=0 etime=0.0000264910 dn=""
[06/Dec/2019:12:49:18.060407586 +0000] conn=2805 op=1 SRCH
base="cn=users,cn=compat,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG" scope=2
filter="(uid=USER)" attrs="distinguishedName"
[06/Dec/2019:12:49:18.060803785 +0000] conn=2805 op=1 RESULT err=0
tag=101 nentries=1 etime=0.0000453635
Right so the user is found, that's good. You should change the user
search base from cn=compat to cn=accounts.
Looks like it is doing an anonymous bind which is going to provide
limited information. I'm pretty sure there is a way to configure a bind
user for this but the how baffles me.
[06/Dec/2019:12:49:18.067812476 +0000] conn=2807 fd=128 slot=128
connection from NNMi-Server to IdM-Server
[06/Dec/2019:12:49:18.068098286 +0000] conn=2807 op=0 BIND dn=""
method=128 version=3
[06/Dec/2019:12:49:18.068165707 +0000] conn=2807 op=0 RESULT err=0
tag=97 nentries=0 etime=0.0000161713 dn=""
[06/Dec/2019:12:49:18.071528890 +0000] conn=2807 op=1 SRCH
base="cn=nnmi_access" scope=2
filter="(member=uid=USER,cn=users,cn=compat,dc=lab,dc=PROJECT,dc=EXAMPLE,dc=ORG)"
attrs="1.1"
[06/Dec/2019:12:49:18.071562192 +0000] conn=2807 op=1 RESULT err=32
tag=101 nentries=0 etime=0.0000074662
The search base is cn=nnmi_access which doesn't exist but this shows us
that whereever you configured this value should be
cn=groups,cn=accounts,... so that's something. It will need to bind as a
real user to get memberof though so that will need to be addressed too.
This is what popped up in the access log this command was run on the
NNMi server:
nnmldap.ovpl -diagnose USER
So yeah it's nice that you have a tool to easily verify things. By
poking at the config and using this tool and watching the logs you may
be able to bang on it enough to get things to work.
So basically you've gotten the user configuration mostly right you just
need to get the group base configuration done and figure out how to
specify a user to bind as.
rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...