I am trying to follow the instructions on this page: https://www.freeipa.org/page/Apache_Group_Based_Authorization
Because I want to only grant access to the web resources and not logins and because the load can often be heavy, I am trying use the mod_authnz_ldap setup. I don't have any virtual host configuration on the web servers.
I have a basic setup of IPA and have been able to add users and modify them through the ipa web interface.
When I try to run the command: ldapmodify -h ipa01.example.com -p 389 -x -D "cn=Directory Manager" -w <DM Password> -f httpbind.ldif
I get the result: ldap_modify: No such object (32)
Naturally, I changed the "dc=example,dc=com" to "dc=a,dc=b,dc=c", where I set up my ipa installation as "a.b.c".
Simon Matthews via FreeIPA-users wrote:
I am trying to follow the instructions on this page: https://www.freeipa.org/page/Apache_Group_Based_Authorization
Because I want to only grant access to the web resources and not logins and because the load can often be heavy, I am trying use the mod_authnz_ldap setup. I don't have any virtual host configuration on the web servers.
I have a basic setup of IPA and have been able to add users and modify them through the ipa web interface.
When I try to run the command: ldapmodify -h ipa01.example.com -p 389 -x -D "cn=Directory Manager" -w <DM Password> -f httpbind.ldif
I get the result: ldap_modify: No such object (32)
Naturally, I changed the "dc=example,dc=com" to "dc=a,dc=b,dc=c", where I set up my ipa installation as "a.b.c".
Hard to say without seeing the actual ldif you are loading but you'll need to carefully check the dn to ensure it matches your configuration.
rob
I should also mention that I ran a script to delete most of the users. If this (httpbind) is a user that is automatically configured when I set up my ip installation, that might explain this.
Simon Matthews via FreeIPA-users wrote:
I should also mention that I ran a script to delete most of the users. If this (httpbind) is a user that is automatically configured when I set up my ip installation, that might explain this.
I'm lost. What users did you delete? A basic IPA installation contains only one user: admin. And that is a required account.
The process you're following is to create a bind account in IPA. This is done by tweaking the ldif on the wiki page to match your environment.
You need to carefully check that the dc values match what your installation has (see basedn in /etc/ipa/default.conf).
rob
Simon Matthews via FreeIPA-users wrote:
I'm lost. What users did you delete? A basic IPA installation contains only one user: admin. And that is a required account.
The process you're following is to create a bind account in IPA. This is done by tweaking the ldif on the wiki page to match your environment.
You need to carefully check that the dc values match what your installation has (see basedn in /etc/ipa/default.conf).
rob
Thanks for your reply.
There were a couple of users that I ensured that I did not delete. "admin" was one of them. I deleted them because I am tweaking a script to import the users and some users did not get fields such as email addresses properly set.
From /etc/ipa/default.conf: basedn = dc=ipa,dc=bluepearlsoftware,dc=com
The ldif file: dn: uid=httpbind,cn=sysaccounts,cn=etc,dc=ipa,dc=bluepearlsoftware,dc=com changetype: add objectclass: account objectclass: simplesecurityobject uid: httpbind userPassword: ohaimakethissimethingtoughtobreak passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0
Exact command I am running and the full output: ldapmodify -h ipa1.sj.bps -p 389 -f /tmp/dm.ldif SASL/GSSAPI authentication started SASL username: admin@IPA.BLUEPEARLSOFTWARE.COM SASL SSF: 256 SASL data security layer installed. modifying entry "uid=httpbind,cn=sysaccounts,cn=etc,dc=ipa,dc=bluepearlsoftware,dc=comchangetype: addobjectclass: accountobjectclass: simplesecurityobjectuid: httpbinduserPassword: ohaimakethissimethingtoughtobreakpasswordExpirationTime: 20380119031407ZnsIdleTimeout: 0" ldap_modify: No such object (32)
Simon Matthews via FreeIPA-users wrote:
Simon Matthews via FreeIPA-users wrote:
I'm lost. What users did you delete? A basic IPA installation contains only one user: admin. And that is a required account.
The process you're following is to create a bind account in IPA. This is done by tweaking the ldif on the wiki page to match your environment.
You need to carefully check that the dc values match what your installation has (see basedn in /etc/ipa/default.conf).
rob
Thanks for your reply.
There were a couple of users that I ensured that I did not delete. "admin" was one of them. I deleted them because I am tweaking a script to import the users and some users did not get fields such as email addresses properly set.
From /etc/ipa/default.conf: basedn = dc=ipa,dc=bluepearlsoftware,dc=com
The ldif file: dn: uid=httpbind,cn=sysaccounts,cn=etc,dc=ipa,dc=bluepearlsoftware,dc=com changetype: add objectclass: account objectclass: simplesecurityobject uid: httpbind userPassword: ohaimakethissimethingtoughtobreak passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0
Exact command I am running and the full output: ldapmodify -h ipa1.sj.bps -p 389 -f /tmp/dm.ldif SASL/GSSAPI authentication started SASL username: admin@IPA.BLUEPEARLSOFTWARE.COM SASL SSF: 256 SASL data security layer installed. modifying entry "uid=httpbind,cn=sysaccounts,cn=etc,dc=ipa,dc=bluepearlsoftware,dc=comchangetype: addobjectclass: accountobjectclass: simplesecurityobjectuid: httpbinduserPassword: ohaimakethissimethingtoughtobreakpasswordExpirationTime: 20380119031407ZnsIdleTimeout: 0" ldap_modify: No such object (32)
Remove the leading spaces on all the lines. A leading space is a continuation marker in LDIF so the contents are being treated as a single line.
rob
freeipa-users@lists.fedorahosted.org
-
Rob Crittenden -
Simon Matthews