Jump to content

Freeipa Users


wkleinhenz

Recommended Posts

Currently i manage a fully Linux environment that uses freeipa for ldap and ive run into 3 issues

First ,

   the account discovery works using an freeipa account but doesnt seem to correctly pull the found users passwords

second,

   unless im doing something wrong i am unable to use the host discovery option to connect to freeipa

lastly,

   the account discovery misses the freeipa users and thus makes it hard to use the ssh connection option as the ldap users are the only true non-service and non-root accounts

 

so with these issues i was wondering if there has been any thought into better supporting non windows ldap for host/account discovery

Thanks

Link to comment
Share on other sites

Hello wkleinhenz,

 

Thanks for your enquiry. We've just had a look at what freeipa is, as we've never heard of this before. Unfortunately our software is not designed to work with this, and we only currently support Microsoft Active directory for LDAP.

 

Sorry our software is not able to help with this.

 

Regards

Click Studios

Link to comment
Share on other sites

On 11/7/2018 at 12:21 PM, wkleinhenz said:

so with these issues i was wondering if there has been any thought into better supporting non windows ldap for host/account discovery


Passwordstate with LDAP integration is something I requested some time ago, under tracking ID PS-1992.

Assuming theres enough demand for it, it would allow integration with IPA for authentication and host discovery.

IPA is a bundle of tools, ldap being one of the tools it bundles. We also use IPA for our Linux servers authentication.

Assuming wkleinhenz would like this as a feature request, I'd have to +1 it.

Link to comment
Share on other sites

  • 2 weeks later...

Hi everyone,

 

We spent a bit of time today investigating FreeIPA, and had a question if that's ok?

 

Were you hoping to have authenticate into Passwordstate using a FreeIPA user account?

 

Or were you hoping Passwordstate could perform password resets and account heartbeats on accounts in FreeIPA?  If this is the case, would these accounts be used on applications in the Linux world, similar to how AD accounts in Windows can be used on things like Windows Services, or IIS Application pools at an example?

 

Regards,

Support.

Link to comment
Share on other sites

Currently I use Freeipa to manage Linux accounts specifically for SSH and being able to manage, audit and reset these passwords would be very nice. In addition, the ability to use Freeipa as an authentication source for passwordstate would also be great.

 

I was also wondering as Freeipa does technically involve the registering of hosts, would it be possible to implement some method of host discovery using LDAP query or the like

 

Thanks for the interest into this, for those who cant afford windows server or prefer an open source alternative this type of support is nice to see

Link to comment
Share on other sites

To further demystify FreeIPA for @support: it really is plain LDAP as a directory, with Kerberos authentication and which has a bunch of management tools added onto it. Quite literally RedHat's answer to Active Directory. To further complicate matters there's also RedHat's Idm (Identity Manager), which is mostly similar but a paid-for product.

 

What @wkleinhenz, @Sarge and myself would be looking for, is host and account discovery inside the respective LDAP OU's. Better yet if you make it configurable ;) All in all it would be very similar to how you handle AD discovery, with a few tweaks to the expected OUs and perhaps a few field names.

Link to comment
Share on other sites

  • 1 year later...

Did this ever go anywhere?  We have Passwordstate 8 now and we have recently deployed IPA to manage access to our Linux / Unix system.  Now we would like to tie that to Passwordstate.  Having Passwordstate perform auto-discovery through the IPA system would be very useful.  Since IPA is really just a front end for LDAP, I can't imagine that it would be difficult for Passwordstate to perform queries to the LDAP system.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...