On ma, 02 heinä 2018, Pieter Baele via FreeIPA-users wrote:
Hi,
We have an application (Spring LDAP backend) that uses ketyabs in the IPA
domain for SSO auth.
No problems at all for internal FreeIPA users after they have a valid
ticket (using MIT Kerberos for Windows) and a correctly configured browser.
An AD user is never present in IPA itself as an inetOrgPerson objectclass
(correct?).
So because AD users are only present in the compat tree after adding them
the "Default Trust View" , configuration of the application is a problem.
Because of the schema, I can only use posixAccount and membership is using
memberUid / RFC2307 (correct again?)
Correct.
The absence of inetOrgPerson information (and memberOf) in the compat
view,
gives me difficulties connecting this component to FreeIPA....
memberOf is part of
RFC2307bis, so out of scope for compat tree.
Anyone experience with connecting Spring to IPA - AND - being able to
use
AD users?
If you are able to switch to a different authentication provider, I'd
rather take a different approach: use OpenID Connect/OAuth instead.
You'd connect your Spring application to an IdP like Keycloak and then
connect Keycloak to IPA. This would work for any complex setup because
authentication and identity retrieval at Keycloak side would be handled
by SSSD.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland