-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > > > It should be possible, yes - if you target web service/Red Mine to the > > > compat tree, as it was done for example in this integration: > > > > > http://www.freeipa.org/page/HowTo/vsphere5_integration > > Tanks, your expression is very helpful for nested group memberships. > > But maybe I expressed myself wrong. We need to logon with an user from Active > Directory (like henry) over an Trust with the IPA Domain. But in the IPA > domain there aren't a user named henry. Only a > > reference in the group > "ipaExternalMember=S-1-5-21-969530201-4059800132-1833743323-1235" to the user. > > The user can be looked up in the compat tree, e.g. > > ldapsearch -x -b 'cn=compat,dc=ipa,dc=domain' '[email protected]' > > HTH > > bye, > Sumit
Thanks, I get more and more information and amazed about FreeIPA and functionally. I can successfully login in Redmine and Cloud with users from the trust domain. I have add additional attributes for the user accounts like "mail" etc. For the external trust user is this not possible. How I can get these additional information's for the trust users? Best regards, Henry - -----Original Message----- From: Sumit Bose [mailto:[email protected]] Sent: Mittwoch, 17. Juni 2015 10:36 To: Henry Hofmann Cc: [email protected] Subject: Re: [Freeipa-users] Question for AD trust and Webservices On Wed, Jun 17, 2015 at 08:21:22AM +0000, Henry Hofmann wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > > It should be possible, yes - if you target web service/Red Mine to the > > compat tree, as it was done for example in this integration: > > > > http://www.freeipa.org/page/HowTo/vsphere5_integration > Tanks, your expression is very helpful for nested group memberships. > > But maybe I expressed myself wrong. We need to logon with an user from Active > Directory (like henry) over an Trust with the IPA Domain. But in the IPA > domain there aren't a user named henry. Only a reference in the group > "ipaExternalMember=S-1-5-21-969530201-4059800132-1833743323-1235" to the user. The user can be looked up in the compat tree, e.g. ldapsearch -x -b 'cn=compat,dc=ipa,dc=domain' '[email protected]' HTH bye, Sumit > > > > > BTW, if Redmine is run by Apache, you can also leverage native > > Web<->SSSD<->FreeIPA/AD integration, following > Our Redmine is running with an ruby webserver based on lock files and in the > front we used an nginx webproxy. > > > http://www.freeipa.org/page/Web_App_Authentication > > > > Martin > > > >> I understand this is for application which is using Kerberos. > > No, it is not only for that. > > >> I have some web applications like "redmine" and "owncloud" which > >> have a own user management. They needs to be configure to LDAP to > >> grant authorizations without Kerberos. And not all of them used > >> apache or tomcat as application server. > > For OwnCloud use > > https://apps.owncloud.com/content/show.php/Unix+user+backend?content > > =148406 and read a backstory in > > https://github.com/owncloud/core/issues/10130 > > > > For redmine use http://www.redmine.org/plugins/redmine_pam_auth. You don't > > need to include the user which runs redmine into shadow group with FreeIPA > > because user accounts are never in > /etc/shadow for FreeIPA so you don't > > need that access. > > > What you mean with " You don't need to include the user which runs Redmine > into shadow group with FreeIPA because user accounts are never in > > /etc/shadow for FreeIPA so you don't need that access ". > Normally we create users and groups in FreeIPA, add the users to the groups. > Currently we sync the user and groups to Redmine and grant the permission > roles (Developer or Manager) to the groups. In this scenario I can manage > remotely the grants for user in every webserver that we used. > > > Both these methods rely on PAM authentication which is powered by SSSD. > > > > -- > > / Alexander Bokovoy > > Thanks for your help. > Henry -----BEGIN PGP SIGNATURE----- Version: PGP Universal 3.1.0 (Build 860) Charset: us-ascii wsBVAwUBVYFg+XEu+nQzo7NUAQgvZAgAwDtapg070WOR7qCozzEqjpBAxLyLATN9 0n5RD/TWa95BCUoX8FWMXEaywMrEuY7AGgRu9Rvr+vDZFWMzpEa6VP16G7TupOfe nPVgcA6UqP/KqrfES+PqUwIMYxU0f0oTXEPY5u9dO54EN/1mGlijW9ddAj+e3SKq VmFHUUim4dqjIR7lFg0ARMdo/O9x4l4Rlu6SrOzrTHFCi2zhEvU6JBaO2zktjQ0Z +kyOXSpKLlX9sOm9oBGpWgrX66847gqmVsIrM7hsIFvWWJvYGosTOGdWAKq6yHZv JBZysmv19rU/NMR9GU/4cybL9LeMOPcD4cR8cXKAf/AIbGiMZV9FlQ== =rakA -----END PGP SIGNATURE----- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
