Hi Rob,
Thanks for your reply.

The front end is the RedHat Identity Management portal (on Apache HTTP server).


After I enter 'Username' and 'Password', I see that the server performs various searches like searches username@domain.com and uid=username,<FQDN>.

If the user is found my bind pre-op plugin is called with a user DN (SIMPLE BIND ).

If the user is not found, then my pre-op BIND plugin is called, ... but with an empty dn value.

What I am looking for is to get the value of the username in the plugin, even if the user is not found in FreeIPA.

I am not sure if SASL interferes with this process of invoking the pre-op BIND plugin, maybe it's irrelevant..

I see entries in the access log as : " conn=393 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI".


My main problem is that when the user value provided via the front end is not found in Free IPA, I can not get that username, entered in the Front Portal, in my pre-op BIND plugin.

Is it possible to get the username entered in the Front end (even if it does not correspond to a valid user) to be captured via a custom plugin?

Maybe not with the BIND pre-op Plugin but with a different type of plugin?

Any tips, suggestions are very much appreciated.

Thanks,
Elena.

Inactive hide details for Rob Crittenden ---06/17/2019 03:09:37 PM---Elena Fedorov via FreeIPA-users wrote: > Hello,Rob Crittenden ---06/17/2019 03:09:37 PM---Elena Fedorov via FreeIPA-users wrote: > Hello,

From: Rob Crittenden <rcritten@redhat.com>
To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Cc: Elena Fedorov <Elena.Fedorov@ca.ibm.com>
Date: 06/17/2019 03:09 PM
Subject: [EXTERNAL] Re: [Freeipa-users] Get username and password via bind preop plugin in FreeIPA





Elena Fedorov via FreeIPA-users wrote:
> Hello,
> I have FreeIPA version 4.6.4, api_version 2.229
>
> The system supports sasl bind version 3, mech GSSAPI.
>
> I need to support logon from the front end for users who are not part of
> the FreeIPA directory server.
> For such users I will need to bind as a predefined existing Free IPA
> account.
>
> The problem is I can not capture a username (entered in the front end)
> in the pre-op bind plugin.
>
> FreeIPA does not even call the pre-op plugin if it can not find a
> username, entered in the front end, in the Directory Server.
>
> What can I do to grab a username from the front end?

I'm not quite sure I follow what you want to do, particularly how SASL
fits in.

What frontend are you talking about? How are you binding LDAP? Simple or
SASL?

rob