Artifactory + FreeIPA Integration

0
votes

I am having trouble getting the LDAP configuration working in Artifactory against FreeIPA and I am getting strange results when testing. Does anyone this setup working?

Here are my settings in Artifactory: Artifactor Settings

The section of the access log on FreeIPA showing the auth test:

[20/Sep/2016:09:55:30 -0700] conn=2046 fd=171 slot=171 connection from x.x.x.x to x.x.x.x
[20/Sep/2016:09:55:30 -0700] conn=2046 op=0 BIND dn="cn=users,cn=accounts" method=128 version=3
[20/Sep/2016:09:55:30 -0700] conn=2046 op=0 RESULT err=32 tag=97 nentries=0 etime=0
[20/Sep/2016:09:55:30 -0700] conn=2046 op=-1 fd=171 closed - B1
[20/Sep/2016:09:55:30 -0700] conn=2045 op=1 SRCH base="dc=example,dc=com" scope=2 filter="(uid=ldap_user)” attrs=ALL
[20/Sep/2016:09:55:30 -0700] conn=2045 op=1 RESULT err=0 tag=101 nentries=1 etime=0

What I find strange is that it's trying to bind using the User DN Pattern instead of the Manager DN. As a result the initial bind fails, but the ldap user used to test the connection is found "err=0 tag=101 nentries=1" according to the logs but Artifactory fails to authenticate the user.

Sometimes when I change the Manager DN string, Artifactory will say the test user authenticated successfully, but then all other tests following will fail using the same user.

Any help is greatly appreciated!

1
ldapartifactoryfreeipa

1 Answers

0
votes

When you see '[something] DN' in terms of LDAP, this is about full distinguished name, not just a value of a relative distinguished name component.

  • According to https://www.jfrog.com/confluence/display/RTF/Managing+Security+with+LDAP, 'User DN pattern' should include user's rdn and template parameters, e.g. 'uid={0},cn=users,cn=accounts'. However, looking at your logs, it seems this has to be a full DN: 'uid={0},cn=users,cn=accounts,dc=example,dc=com'

  • Manager DN should be a full DN, e.g. 'uid=manager,cn=users,cn=accounts,dc=example,dc=com'.