I am having trouble getting the LDAP configuration working in Artifactory against FreeIPA and I am getting strange results when testing. Does anyone this setup working?
Here are my settings in Artifactory: Artifactor Settings
The section of the access log on FreeIPA showing the auth test:
[20/Sep/2016:09:55:30 -0700] conn=2046 fd=171 slot=171 connection from x.x.x.x to x.x.x.x
[20/Sep/2016:09:55:30 -0700] conn=2046 op=0 BIND dn="cn=users,cn=accounts" method=128 version=3
[20/Sep/2016:09:55:30 -0700] conn=2046 op=0 RESULT err=32 tag=97 nentries=0 etime=0
[20/Sep/2016:09:55:30 -0700] conn=2046 op=-1 fd=171 closed - B1
[20/Sep/2016:09:55:30 -0700] conn=2045 op=1 SRCH base="dc=example,dc=com" scope=2 filter="(uid=ldap_user)” attrs=ALL
[20/Sep/2016:09:55:30 -0700] conn=2045 op=1 RESULT err=0 tag=101 nentries=1 etime=0
What I find strange is that it's trying to bind using the User DN Pattern instead of the Manager DN. As a result the initial bind fails, but the ldap user used to test the connection is found "err=0 tag=101 nentries=1" according to the logs but Artifactory fails to authenticate the user.
Sometimes when I change the Manager DN string, Artifactory will say the test user authenticated successfully, but then all other tests following will fail using the same user.
Any help is greatly appreciated!
When you see '[something] DN' in terms of LDAP, this is about full distinguished name, not just a value of a relative distinguished name component.
According to https://www.jfrog.com/confluence/display/RTF/Managing+Security+with+LDAP, 'User DN pattern' should include user's rdn and template parameters, e.g. 'uid={0},cn=users,cn=accounts'. However, looking at your logs, it seems this has to be a full DN: 'uid={0},cn=users,cn=accounts,dc=example,dc=com'
Manager DN should be a full DN, e.g. 'uid=manager,cn=users,cn=accounts,dc=example,dc=com'.