6:16 p.m.
I am trying to follow the instructions on this page:
https://www.freeipa.org/page/Apache_Group_Based_Authorization
Because I want to only grant access to the web resources and not logins and because the
load can often be heavy, I am trying use the mod_authnz_ldap setup. I don't have any
virtual host configuration on the web servers.
I have a basic setup of IPA and have been able to add users and modify them through the
ipa web interface.
When I try to run the command:
ldapmodify -h ipa01.example.com -p 389 -x -D "cn=Directory Manager" -w <DM
Password> -f httpbind.ldif
I get the result:
ldap_modify: No such object (32)
Naturally, I changed the "dc=example,dc=com" to "dc=a,dc=b,dc=c",
where I set up my ipa installation as "a.b.c".
6:34 p.m.
Simon Matthews via FreeIPA-users wrote:
I am trying to follow the instructions on this page:
https://www.freeipa.org/page/Apache_Group_Based_Authorization
Because I want to only grant access to the web resources and not logins and because the
load can often be heavy, I am trying use the mod_authnz_ldap setup. I don't have any
virtual host configuration on the web servers.
I have a basic setup of IPA and have been able to add users and modify them through the
ipa web interface.
When I try to run the command:
ldapmodify -h ipa01.example.com -p 389 -x -D "cn=Directory Manager" -w <DM
Password> -f httpbind.ldif
I get the result:
ldap_modify: No such object (32)
Naturally, I changed the "dc=example,dc=com" to "dc=a,dc=b,dc=c",
where I set up my ipa installation as "a.b.c".
Hard to say without seeing the actual ldif you are loading but you'll
need to carefully check the dn to ensure it matches your configuration.
rob
7:21 p.m.
New subject: Setting up authentication for apache webserver.
I should also mention that I ran a script to delete most of the users. If this (httpbind)
is a user that is automatically configured when I set up my ip installation, that might
explain this.
10:43 a.m.
New subject: Setting up authentication for apache webserver.
Simon Matthews via FreeIPA-users wrote:
I should also mention that I ran a script to delete most of the
users. If this (httpbind) is a user that is automatically configured when I set up my ip
installation, that might explain this.
I'm lost. What users did you delete? A basic IPA installation contains
only one user: admin. And that is a required account.
The process you're following is to create a bind account in IPA. This is
done by tweaking the ldif on the wiki page to match your environment.
You need to carefully check that the dc values match what your
installation has (see basedn in /etc/ipa/default.conf).
rob
12:06 p.m.
New subject: Setting up authentication for apache webserver.
Simon Matthews via FreeIPA-users wrote:
I'm lost. What users did you delete? A basic IPA installation contains
only one user: admin. And that is a required account.
The process you're following is to create a bind account in IPA. This is
done by tweaking the ldif on the wiki page to match your environment.
You need to carefully check that the dc values match what your
installation has (see basedn in /etc/ipa/default.conf).
rob
Thanks for your reply.
There were a couple of users that I ensured that I did not delete. "admin" was
one of them. I deleted them because I am tweaking a script to import the users and some
users did not get fields such as email addresses properly set.
From /etc/ipa/default.conf:
basedn = dc=ipa,dc=bluepearlsoftware,dc=com
The ldif file:
dn: uid=httpbind,cn=sysaccounts,cn=etc,dc=ipa,dc=bluepearlsoftware,dc=com
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: httpbind
userPassword: ohaimakethissimethingtoughtobreak
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0
Exact command I am running and the full output:
ldapmodify -h ipa1.sj.bps -p 389 -f /tmp/dm.ldif
SASL/GSSAPI authentication started
SASL username: admin(a)IPA.BLUEPEARLSOFTWARE.COM
SASL SSF: 256
SASL data security layer installed.
modifying entry
"uid=httpbind,cn=sysaccounts,cn=etc,dc=ipa,dc=bluepearlsoftware,dc=comchangetype:
addobjectclass: accountobjectclass: simplesecurityobjectuid: httpbinduserPassword:
ohaimakethissimethingtoughtobreakpasswordExpirationTime: 20380119031407ZnsIdleTimeout:
0"
ldap_modify: No such object (32)
12:17 p.m.
New subject: Setting up authentication for apache webserver.
Simon Matthews via FreeIPA-users wrote:
> Simon Matthews via FreeIPA-users wrote:
>
> I'm lost. What users did you delete? A basic IPA installation contains
> only one user: admin. And that is a required account.
>
> The process you're following is to create a bind account in IPA. This is
> done by tweaking the ldif on the wiki page to match your environment.
>
> You need to carefully check that the dc values match what your
> installation has (see basedn in /etc/ipa/default.conf).
>
> rob
Thanks for your reply.
There were a couple of users that I ensured that I did not delete. "admin" was
one of them. I deleted them because I am tweaking a script to import the users and some
users did not get fields such as email addresses properly set.
From /etc/ipa/default.conf:
basedn = dc=ipa,dc=bluepearlsoftware,dc=com
The ldif file:
dn: uid=httpbind,cn=sysaccounts,cn=etc,dc=ipa,dc=bluepearlsoftware,dc=com
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: httpbind
userPassword: ohaimakethissimethingtoughtobreak
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0
Exact command I am running and the full output:
ldapmodify -h ipa1.sj.bps -p 389 -f /tmp/dm.ldif
SASL/GSSAPI authentication started
SASL username: admin(a)IPA.BLUEPEARLSOFTWARE.COM
SASL SSF: 256
SASL data security layer installed.
modifying entry
"uid=httpbind,cn=sysaccounts,cn=etc,dc=ipa,dc=bluepearlsoftware,dc=comchangetype:
addobjectclass: accountobjectclass: simplesecurityobjectuid: httpbinduserPassword:
ohaimakethissimethingtoughtobreakpasswordExpirationTime: 20380119031407ZnsIdleTimeout:
0"
ldap_modify: No such object (32)
Remove the leading spaces on all the lines. A leading space is a
continuation marker in LDIF so the contents are being treated as a
single line.
rob
828
days inactive
828
days old
freeipa-users@lists.fedorahosted.org
7 comments
2 participants
participants (2)
-
Rob Crittenden -
Simon Matthews