Hi ivars
Many thanks that's just what I was looking for.
Sorry about the iPad it should be ipa but it seems I am a victim of autocorrect 🤣
Regards Per
Sent from my Commodore 64
On 8 Aug 2017, at 18:07, Ivars Strazdiņš via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi Per, could you define “working configuration” requirements and what’s iPad specific? Anyway, below is my setup with Centos Apache to authenticate against IPA via LDAP using either username (uid) or e-mail. No Kerberos or GSSAPI used, just “pure” LDAP. Please note, IPA group “shareusers” membership is required. IPA host is im.example.com With kind regards, Ivars
File /etc/httpd/access/ldap.conf
AuthName "File service login" # AuthBasicProviders are defined in ../conf.d/00-ldap.conf AuthBasicProvider ldap-uid ldap-mail AuthType Basic
# Even if AuthLDAPURL is defined in AuthnProviderAlias in ../conf.d/00-ldap.conf and processed earlier # these directives are mandatory to authorize after authentication AuthLDAPURL ldaps://im.example.com/cn=users,cn=accounts,dc=example,dc=com?mail?sub?(memberOf=cn=shareusers,cn=groups,cn=accounts,dc=example,dc=com) AuthLDAPInitialBindAsUser On AuthLDAPSearchAsUser On AuthLDAPCompareAsUser On
File /etc/httpd/conf.d/00-ldap.conf
LDAPTrustedGlobalCert CA_BASE64 /etc/ipa/ca.crt
# AuthnProviderAlias must be defined here, it cannot be in VirtualHost # because ../access/ldap.conf is VirtualHost level
# ldap-mail is tried last (after ldap-uid)
<AuthnProviderAlias ldap ldap-mail> AuthLDAPURL ldaps://im.example.com/cn=users,cn=accounts,dc=example,dc=com?mail?sub?(memberOf=cn=shareusers,cn=groups,cn=accounts,dc=example,dc=com) # this one (last) must be authoritative # AuthLDAPBindAuthoritative off AuthLDAPInitialBindAsUser On AuthLDAPSearchAsUser On AuthLDAPCompareAsUser On AuthLDAPInitialBindPattern (.+)\@(.+) uid=$1,cn=users,cn=accounts,dc=example,dc=com </AuthnProviderAlias>
# ldap-uid is tried first
<AuthnProviderAlias ldap ldap-uid> AuthLDAPURL ldaps://im.example.com/cn=users,cn=accounts,dc=example,dc=com?uid?sub?(memberOf=cn=shareusers,cn=groups,cn=accounts,dc=example,dc=com) # first one is NOT authoritative AuthLDAPBindAuthoritative off AuthLDAPInitialBindAsUser On AuthLDAPSearchAsUser On AuthLDAPCompareAsUser On AuthLDAPInitialBindPattern (.+) uid=$1,cn=users,cn=accounts,dc=example,dc=com </AuthnProviderAlias>
On 2017. gada 8. aug., at 15:11, Per Qvindesland via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi All
Does anyone have any working mod_ldap configuration for Centos 7 with apache 2.4.6 with iPad to share?
Regards Per
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org