Hi Rob,
Thanks for your reply.
The front end is the RedHat Identity Management portal (on Apache HTTP
server).
After I enter 'Username' and 'Password', I see that the server performs
various searches like searches username(a)domain.com and uid=username,<FQDN>.
If the user is found my bind pre-op plugin is called with a user DN (SIMPLE
BIND ).
If the user is not found, then my pre-op BIND plugin is called, ... but
with an empty dn value.
What I am looking for is to get the value of the username in the plugin,
even if the user is not found in FreeIPA.
I am not sure if SASL interferes with this process of invoking the pre-op
BIND plugin, maybe it's irrelevant..
I see entries in the access log as : " conn=393 op=1 BIND dn=""
method=sasl
version=3 mech=GSSAPI".
My main problem is that when the user value provided via the front end is
not found in Free IPA, I can not get that username, entered in the Front
Portal, in my pre-op BIND plugin.
Is it possible to get the username entered in the Front end (even if it
does not correspond to a valid user) to be captured via a custom plugin?
Maybe not with the BIND pre-op Plugin but with a different type of plugin?
Any tips, suggestions are very much appreciated.
Thanks,
Elena.
From: Rob Crittenden <rcritten(a)redhat.com>
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Elena Fedorov <Elena.Fedorov(a)ca.ibm.com>
Date: 06/17/2019 03:09 PM
Subject: [EXTERNAL] Re: [Freeipa-users] Get username and password via
bind preop plugin in FreeIPA
Elena Fedorov via FreeIPA-users wrote:
Hello,
I have FreeIPA version 4.6.4, api_version 2.229
The system supports sasl bind version 3, mech GSSAPI.
I need to support logon from the front end for users who are not part of
the FreeIPA directory server.
For such users I will need to bind as a predefined existing Free IPA
account.
The problem is I can not capture a username (entered in the front end)
in the pre-op bind plugin.
FreeIPA does not even call the pre-op plugin if it can not find a
username, entered in the front end, in the Directory Server.
What can I do to grab a username from the front end?
I'm not quite sure I follow what you want to do, particularly how SASL
fits in.
What frontend are you talking about? How are you binding LDAP? Simple or
SASL?
rob