Hi,
We have an application (Spring LDAP backend) that uses ketyabs in the IPA domain for SSO auth. No problems at all for internal FreeIPA users after they have a valid ticket (using MIT Kerberos for Windows) and a correctly configured browser.
An AD user is never present in IPA itself as an inetOrgPerson objectclass (correct?). So because AD users are only present in the compat tree after adding them the "Default Trust View" , configuration of the application is a problem. Because of the schema, I can only use posixAccount and membership is using memberUid / RFC2307 (correct again?) The absence of inetOrgPerson information (and memberOf) in the compat view, gives me difficulties connecting this component to FreeIPA....
Anyone experience with connecting Spring to IPA - AND - being able to use AD users?
On ma, 02 heinä 2018, Pieter Baele via FreeIPA-users wrote:
Hi,
We have an application (Spring LDAP backend) that uses ketyabs in the IPA domain for SSO auth. No problems at all for internal FreeIPA users after they have a valid ticket (using MIT Kerberos for Windows) and a correctly configured browser.
An AD user is never present in IPA itself as an inetOrgPerson objectclass (correct?). So because AD users are only present in the compat tree after adding them the "Default Trust View" , configuration of the application is a problem. Because of the schema, I can only use posixAccount and membership is using memberUid / RFC2307 (correct again?)
Correct.
The absence of inetOrgPerson information (and memberOf) in the compat view, gives me difficulties connecting this component to FreeIPA....
memberOf is part of RFC2307bis, so out of scope for compat tree.
Anyone experience with connecting Spring to IPA - AND - being able to use AD users?
If you are able to switch to a different authentication provider, I'd rather take a different approach: use OpenID Connect/OAuth instead. You'd connect your Spring application to an IdP like Keycloak and then connect Keycloak to IPA. This would work for any complex setup because authentication and identity retrieval at Keycloak side would be handled by SSSD.
Hi,
I was indeed thinking on using OAuth for the application (SAS Viya). Standard platform: ADFS. Adding Keycloak is do-able, but currently not in scope. We are a small (sub)team and how much is manage-able? ;)
The applicaton - SAS Viya - always needs LDAP as identity store - in combination with Kerberos (& IWA), OAuth, SAML, plain LDAP or PAM. I find the implementation of their LDAP client a bit lacking (only 1 LDAP host, no referral setting, no starttls....)
One of the business requirements is "seamless" authentication and I was hoping we could use SPNEGO.
Our Hadoop (and related servers such as SAS Viya) are all placed in a separate IPA domain, and we have a trust with AD. So this works for a firefox browser configured to use MIT Kerberos against IPA and the pure IPA users. But me idealistic scenario of using end-users from AD on that SAS Viya platform is currently leading to nowhere.
Do you think it would be possible using ADFS Oauth? And AD LDAP as identity lookup store (if the problems are fixed) with all servers in the IPA domain? If not, what about Keycloak integrated with IPA -->we still would have the problem with AD user lookup then. Would be easier if the product uses SSSD/PAM as identity store as well somehow...
Sincerely Pieter
On Mon, Jul 2, 2018 at 2:15 PM Alexander Bokovoy abokovoy@redhat.com wrote:
On ma, 02 heinä 2018, Pieter Baele via FreeIPA-users wrote:
Hi,
We have an application (Spring LDAP backend) that uses ketyabs in the IPA domain for SSO auth. No problems at all for internal FreeIPA users after they have a valid ticket (using MIT Kerberos for Windows) and a correctly configured
browser.
An AD user is never present in IPA itself as an inetOrgPerson objectclass (correct?). So because AD users are only present in the compat tree after adding them the "Default Trust View" , configuration of the application is a problem. Because of the schema, I can only use posixAccount and membership is using memberUid / RFC2307 (correct again?)
Correct.
The absence of inetOrgPerson information (and memberOf) in the compat
view,
gives me difficulties connecting this component to FreeIPA....
memberOf is part of RFC2307bis, so out of scope for compat tree.
Anyone experience with connecting Spring to IPA - AND - being able to use AD users?
If you are able to switch to a different authentication provider, I'd rather take a different approach: use OpenID Connect/OAuth instead. You'd connect your Spring application to an IdP like Keycloak and then connect Keycloak to IPA. This would work for any complex setup because authentication and identity retrieval at Keycloak side would be handled by SSSD.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
freeipa-users@lists.fedorahosted.org