V 4.0 freeipa help

I just upgraded. I am able to connect to the ldap server fine. When I try to test authenticate, I get this:

Couldn’t test user login on [ ]

  • entryUUID attribute cannot be null

It seems I need to define the ‘ID Attribute’ field, but I have no idea what it should be for freeipa. By default it is ‘entryUUID’

It looks like sn or surname work. Would these be ‘proper’ though?

@knobbysideup The “ID Attribute” (which defaults to entryUUID) must be a unique ID that doesn’t change when, let’s say, the username changes. Graylog is using that ID as reference to find the user in LDAP, even when username and others change.

So using the surname is not a good option here. After some research it looks like that in FreeIPA that attribute is uid.

UPDATE: Using uid is wrong, see my next post below. Sorry for the confusion.

Source: https://www.freeipa.org/page/HowTos/LDAP_authentication_for_Atlassian_JIRA_using_FreeIPA

I did try uid first, but that results in the same error.

@knobbysideup I did some more research. For FreeIPA you actually want to use the ipaUniqueID attribute for the ID attribute value.

If you still see the same issue, you might need to adjust your “Search Pattern” setting. You want to include objectClass=person. Full pattern example: (&(objectClass=person)(uid={0}))

I hope that helps.

1 Like

I just got a chance to try this. The problem persists. I don’t know why. According to https://www.freeipa.org/page/FreeIPAv2:DS_Design_Summary that attribute is the one that should be used. If I use sn or surname, I don’t get the error.

@knobbysideup I am unable to reproduce that. I set up a FreeIPA instance and tested it with the ipaUniqueID attribute as “ID Attribute”:

The login test works and I can also login with a user account:

image

I have it working now. I was not using an account to bind. After configuring to bind with a system account, I am able to now read the ipauniqueid attribute.

1 Like