Reputation: 1
Changing from one LDAP provider (FreeIPA) to another (Active Directory) without creating new accounts
We currently use a self-hosted Phabricator for internal ticketing. It is mounted in a container with it's own database (MariaDB).
To enable our users to access it we historically have an LDAP connection to a FreeIPA server we also self-host. With recent changes we are now using Active Directory, and we are slowly swapping from one to another. This is where we encounter issues.
When changing it, in some cases we are unable to connect anymore without getting a problem with the existing accounts : Either the mail is already in use so the connection is refused, or we are offered to create a new account, or it creates a second account. In Phabricator case we receive this message :
Email Address Already in Use
You are creating a new account linked to an existing external account.
The email address ("[email protected]") associated with the external account is already in use by an existing Phabricator account. Multiple Phabricator accounts may not have the same email address, so you can not use this email address to register a new account.
If you want to register a new account, continue with this registration workflow and choose a new, unique email address for the new account.
If you want to link an existing Phabricator account to this external account, do not continue. Instead: log in to your existing account, then go to "Settings" and link the account in the "External Accounts" panel.
If you continue, you will create a new account. You will not be able to link this external account to an existing account
How could we proceed to either fuse the accounts together, or change some attributes/search filter to match both accounts ?
On a general aspect we are open to any informational ressources about LDAP/AD on Linux or within containers.
For the moment I tried to understand what was not matching between both accounts, without success. My guess is that the full DN are different as the OU organizations are different. I wondered if matching the attributes we use for each to be the same would solve the issue, like instead of importing the full DN, to only import the login name (which is the same on both).
Upvotes: 0
Views: 48
Answers (0)
Related Questions
- Difference between ClusterIP, NodePort and LoadBalancer service types in Kubernetes?
- Authenticating against active directory using python + ldap
- Ldap search does not return all attributes of an account in Active Directory
- Authenticating in PHP using LDAP through Active Directory
- Can I change myself Active Directory password from LDAP (without administrative account)
- What are the differences between LDAP and Active Directory?
- Gitlabs ldap login against FreeIPA server stuck in a set email loop
- Constructed attributes in Active Directory Global Catalog (get password expiry for accounts)
- Complete LDAP query to extract active Users and Service Accounts from Microsoft Active Directory