Integrating FreeIPA authentication with GitHub Enterprise

The GitHub Enterprise – Using LDAP documentation lists FreeIPA as a supported LDAP service.

Although I was able to successfully test a basic LDAP connection, the test failed after I specified the Email (using value “mail”) and SSH key (using value “ipaSshPubKey”) fields. I received the following error:

Field `mail` is not an attribute in the user entry.
Field `ipaSshPubKey` is not an attribute in the user entry.

For the Domain base, I had specified the following (which had worked for integrating FreeIPA’s LDAP with other services):

dc=freeipa,dc=osric,dc=net

The problem, as far as I can tell, is that searching dc=freeipa,dc=osric,dc=net for a username returns multiple entries.

The first entry, from cn=users,cn=compat,dc=freeipa,dc=osric,dc=net, contains just 9 attributes and does not include mail or ipaSshPubKey.

The second entry, from cn=users,cn=accounts,dc=freeipa,dc=osric,dc=net contains 34 attributes and includes mail and ipaSshPubKey.

I changed the value of Domain base to:

cn=accounts,dc=freeipa,dc=osric,dc=net

This solved the problem for me.

One thought on “Integrating FreeIPA authentication with GitHub Enterprise”

  1. I should note that further restricting the Domain base will cause a different error, as then the LDAP search could not locate the group specified for Administrators group within the search tree.

    For example, the following Domain base would not return any groups:

    cn=users,cn=accounts,dc=oitsec,dc=umn,dc=edu

Leave a Reply

Your email address will not be published. Required fields are marked *