Hi,
you should use the cn=compat DNs as search bases
"groupbasedn":
"cn=groups,cn=compat,dc=example,dc=com",
"userbasedn": "cn=users,cn=compat,dc=example,dc=com",
> "searchattribute": "uid",
> "searchstring":
"uid=USER-NAME,cn=users,cn=compat,dc=example,dc=com",
and here only
"searchstring": "USER-NAME",
should be sufficient if you use the fully-qualified name of the AD
user when logging in.
Thank you for this.
Unfortunately, I think I'm still missing something, as it doesn't appear to me
that any ldap (389/tcp) traffic is leaving IdM and going to Active Directory, when a ldap
request comes in from Mediawiki with Active Directory credentials.
With the below configuration, if I run tcpdump watching port 389 on the
idm.example.com
node below, I only see traffic coming to and from the IdM server.
I don't see any traffic to or from the IdM server to Active Directory.
Furthermore, in /var/log/dirsrv/slapd-EXAMPLE-COM/access.log, I see:
[17/Jan/2020:15:07:21.554948001 -0500] conn=3015 fd=137 slot=137 connection from
192.168.239.30 to 172.30.50.2
[17/Jan/2020:15:07:21.555400106 -0500] conn=3015 op=0 BIND
dn="EXAMPLE\svc_wiki,ou=MediaWiki,ou=Applications,ou=Network
Groups,dc=example,dc=com" authzid="(null)", invalid bind dn
[17/Jan/2020:15:07:21.555446320 -0500] conn=3015 op=0 RESULT err=34 tag=97 nentries=0
etime=0.0000431413
I see similar log entries based on the user syntax below, i.e. EXAMPLE\svc_wiki,
svc_wiki(a)example.com, etc...)
My Mediawiki config is currently as follows. I've added the comments below for your
information, the comments are not actually a part of the file:
"server": "idm.example.com", # A single IdM Node
"user": "cn=svc_wiki,ou=MediaWiki,ou=Applications,ou=Network
Groups,dc=example,dc=com", #svc_wiki is a service account in AD. I have also tried
setting cn=EXAMPLE\svc_wiki, as well as cn=svc_wiki(a)example.com
"pass": "REDACTED",
"port":"389",
"enctype":"clear",
"basedn": "dc=example,dc=com",
"groupbasedn": "cn=groups,cn=compat,dc=example,dc=com",
"userbasedn":
"cn=users,cn=compat,dc=example,dc=com",
"searchattribute": "sAMAccountName", # I have also tried uid
"searchstring": "USER-NAME", # I have also tried
EXAMPLE\\USER-NAME
"usernameattribute": "sAMAccountName", # I have also tried uid
"realnameattribute": "cn",
"emailattribute": "mail"
-----
David White
Engineer II, Fiber Systems Engineering
From: Sumit Bose <sbose(a)redhat.com>
Date: Tuesday, January 14, 2020 at 11:18 AM
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: "White, David" <whitedm(a)epb.net>
Subject: Re: [Freeipa-users] Re: Proxy LDAP queries to Active Directory
On Tue, Jan 14, 2020 at 03:57:09PM +0000, White, David via FreeIPA-users wrote:
Hello,
Thanks for your response on this.
> you can bind as AD user with the DN of the AD user object from the compat tree
To confirm, are you suggesting that I simply create the service account inside of Active
Directory, but still have Mediawiki talk to the IdM server?
Mediawiki takes a json file.
The following works perfectly fine when I use an IdM service account. In the below
config, `idm.example.com` is a specific node in the IdM cluster.
{
"LDAP": {
"connection": {
"server": "idm.example.com",
"user": "uid=admin,cn=users,cn=compat,dc=example,dc=com",
"pass": "REDACTED",
"port":"389",
"enctype":"clear",
"basedn": "dc=example,dc=com",
"groupbasedn": "dc=example,dc=com",
"userbasedn": "dc=example,dc=com",
Hi,
you should use the cn=compat DNs as search bases
"groupbasedn": "cn=groups,cn=compat,dc=example,dc=com",
"userbasedn": "cn=users,cn=compat,dc=example,dc=com",
"searchattribute": "uid",
"searchstring":
"uid=USER-NAME,cn=users,cn=compat,dc=example,dc=com",
and here only
"searchstring": "USER-NAME",
should be sufficient if you use the fully-qualified name of the AD user
when logging in.
HTH
bye,
Sumit
"usernameattribute": "uid",
"realnameattribute": "cn",
"emailattribute": "mail"
}
}
}
When I update this config to talk to AD, I use the same server address, but I change the
values as appropriate to match AD's requirements for searchattribute, searchstring,
usernameattribute, etc....
I'm still unable to get this to work, but I'm also still troubleshooting, and not
giving up.
As I continue to troubleshoot, I wanted to respond to this and make sure I'm clear on
what you're suggesting.
Thanks again,
David
From: Sumit Bose via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Reply-To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Date: Monday, January 6, 2020 at 12:10 PM
To: "freeipa-users(a)lists.fedorahosted.org"
<freeipa-users(a)lists.fedorahosted.org>
Cc: Sumit Bose <sbose(a)redhat.com>
Subject: [Freeipa-users] Re: Proxy LDAP queries to Active Directory
On Mon, Jan 06, 2020 at 05:01:05PM +0000, White, David via FreeIPA-users wrote: > Is
there a way to proxy client LDAP requests to the upstream Active Directory that FreeIPA is
configured to trust? > > I have AD, where users live. > I have FreeIPA / RedHat
IdM.
&
On Mon, Jan 06, 2020 at 05:01:05PM +0000, White, David via FreeIPA-users wrote:
> Is there a way to proxy client LDAP requests to the upstream Active Directory that
FreeIPA is configured to trust?
>
> I have AD, where users live.
> I have FreeIPA / RedHat IdM.
> And I have servers that are registered to FreeIPA.
>
> But I also have applications (such as Mediawiki, or Red Hat Satellite to name a few)
that support LDAP authentication.
> I want to be able to use my AD credentials to login to Mediawiki or Satellite, but
have the application bind to FreeIPA, instead of binding it to AD.
>
> Is this possible?
Hi,
you can bind as AD user with the DN of the AD user object from the
compat tree, see e.g.
https://www.freeipa.org/page/V3/Serving_legacy_clients_for_trusts for
details.
HTH
bye,
Sumit
>
> I currently:
> Have successfully bound Mediawiki to FreeIPA, and I can login to Mediawiki using an
account that is built locally instead of FreeIPA, but I cannot login to Mediawiki using my
AD credentials.
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...