{"id":2859,"date":"2018-11-01T19:25:53","date_gmt":"2018-11-02T00:25:53","guid":{"rendered":"http:\/\/osric.com\/chris\/accidental-developer\/?p=2859"},"modified":"2018-11-01T19:25:53","modified_gmt":"2018-11-02T00:25:53","slug":"integrating-freeipa-authentication-with-github-enterprise","status":"publish","type":"post","link":"https:\/\/osric.com\/chris\/accidental-developer\/2018\/11\/integrating-freeipa-authentication-with-github-enterprise\/","title":{"rendered":"Integrating FreeIPA authentication with GitHub Enterprise"},"content":{"rendered":"

The GitHub Enterprise – Using LDAP documentation<\/a> lists FreeIPA as a supported LDAP service.<\/p>\n

Although I was able to successfully test a basic LDAP connection, the test failed after I specified the Email<\/em> (using value “mail”) and SSH key<\/em> (using value “ipaSshPubKey”) fields. I received the following error:<\/p>\n

Field `mail` is not an attribute in the user entry.\r\nField `ipaSshPubKey` is not an attribute in the user entry.<\/code><\/pre>\n
For the Domain base<\/em>, I had specified the following (which had worked for integrating FreeIPA’s LDAP with other services):<\/p>\n
dc=freeipa,dc=osric,dc=net<\/code><\/pre>\n
The problem, as far as I can tell, is that searching dc=freeipa,dc=osric,dc=net<\/code> for a username returns multiple entries.<\/p>\n
The first entry, from cn=users,cn=compat,dc=freeipa,dc=osric,dc=net<\/code>, contains just 9 attributes and does not include mail<\/code> or ipaSshPubKey<\/code>.<\/p>\n
The second entry, from cn=users,cn=accounts,dc=freeipa,dc=osric,dc=net<\/code> contains 34 attributes and includes mail<\/code> and ipaSshPubKey<\/code>.<\/p>\n
I changed the value of Domain base<\/em> to:<\/p>\n
cn=accounts,dc=freeipa,dc=osric,dc=net<\/code><\/pre>\n
This solved the problem for me.<\/p>\n","protected":false},"excerpt":{"rendered":"
I followed the steps to use FreeIPA’s LDAP service for my GitHub Enterprise authentication, but I encountered errors when attempting to query the email and SSH key data from LDAP. I discovered that LDAP was returning multiple objects for my query, one with the requested attributes and one without. Once I narrowed the scope of the LDAP query, only the desired object, with the additional attributes, was returned.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[417,482,521],"class_list":["post-2859","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-freeipa","tag-github","tag-ldap"],"_links":{"self":[{"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/posts\/2859","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/comments?post=2859"}],"version-history":[{"count":2,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/posts\/2859\/revisions"}],"predecessor-version":[{"id":2861,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/posts\/2859\/revisions\/2861"}],"wp:attachment":[{"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/media?parent=2859"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/categories?post=2859"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/tags?post=2859"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}