Use FreeIPA as Identity Managment for OpenNMS

Hi Guys ,

Could you guide me how i can integrate OpenNMS with FreeIPA server ? Is there any knowledge base that can work with Meridian 2020.1.5 ? Any guidance will be much appreciated . Thanks

Does this post help?

Hi ,

No this post seems to be of 2019 and is not helpful , as the file contents of sso_freeIPA_kerb_ldap.xml current file has almost changed and it doesnt have externalAuthenticationProvider bean i guess and as well as Bind user concept . Could you help me in letting know the updated way of doing this for freeIPA ?

I haven’t used FreeIPA specifically, so I can’t speak directly to that. You can try modifying the ldap.xml example that comes with OpenNMS and replacing values as appropriate.

so does ldap.xml configuration help in interegrating OpenNMS Identity management with FreeIPA . As iam using FreeIPA as my Identity Management System.

Thanks for guiding towards ldap xml i manage to conigure authentication using it . Could you let me know how OpenNMS can be made work with ldaps ? this ldap.xml is using ldap but we want a secure form of ldap.

you would set your server as <beans:value>ldaps://ldap1.example.org:636/</beans:value> and make sure your CA cert is stored in your server’s keystore.

By “server’s keystore” does it mean keystore on opennms server or keystore on freeIPA server ? Or instead of keystore its trustore ? we are have configured stanrdalone jetty with https port 8443.

OpenNMS server. When I deployed LDAPS auth, I went on the safe side and added our internal CA to both the jetty keystore and the java truststore.

okay thanks , iam also geting simple bind failed exception in web.log , i have two bind users one for ldap (username opennms) and other bind user ldapsopennms for ldaps port 636 . For ldaps auth iam using the later one could you let me know if possible the correct way to create bind user for ldaps ? Any command that might be handy .

There isn’t any difference between a ldap and ldaps bind user. As long as it has permission to read objects it should be fine. What’s the exact error you’re seeing?

Could you let me know how can i allow these permissions ?

the error iam facing is :-

Caused by: org.springframework.ldap.CommunicationException: simple bind failed: ldapserver.corp.com:636; nested exception is javax.naming.CommunicationException: simple bind failed: ldapserver.corp.com:636 [Root exception is java.net.SocketException: Connection or outbound has closed]

“Caused by: javax.naming.CommunicationException: simple bind failed: ldapserver.corp.com:636

here is how i created ldaps bind user :-
#####################################################################

vi ldapsopennms.ldif and paste below content on freeIPA server and save ldif file.

dn: uid=opennmsldaps,cn=sysaccounts,cn=etc,dc=corp,dc=com
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: opennmsldaps
userPassword: opennmsldaps
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0
##################################################################

Run below command :-

sudo ldapmodify -H “ldaps://ldapserver.corp.com:636” -x -D “cn=Directory Manager” -w password -f /home/ldapsopennms.ldif

That’s not a permissions error, it’s a connection failure. Are you sure your FreeIPA server is listening on 636?

Yes i have a process on freeIPA server with 389 and 636 both .

sudo fuser -n tcp 389
389/tcp: 736
################
sudo fuser -n tcp 636
636/tcp: 736

###############################################################
sudo netstat -tulnp | grep 636
tcp6 0 0 :::636 :::* LISTEN 736/ns-slapd
##################################################################
sudo netstat -tulnp | grep 389
tcp6 0 0 :::389 :::* LISTEN 736/ns-slapd

Hi Guys ,

Any more inputs on this from anyone ?