Groundwork is able to authenticate to ldap. 7.0.1 is recommended because apparently 7.0.0 had a few issues that caused ldap auth to not work. There is a good document on how to authenticate to AD and openldap, but there are some changes required to get it to work under freeipa.
Groundwork uses josso for ldap auth, which requires messing with some xml files to configure. After the initial authentication (verifying userid and password), it then checks if the user is a member of the Authenticated group/role, to allow access to groundwork, then checks membership of a few other groups for permissions within groundwork. These groups by default are GWRoot, GWAdmin, GWOperator, and GWUser, and they are case sensitive. This is problematic because freeipa does not preserve case in a lot attributes, including the member and uid attributes, which is what we are concerned with. So using an ordinary group returned cn=authenticated, but groundwork checks for membership in Authenticated, so it failed. However, roles do preserve case, so I created the groundwork groups in freeipa using roles, but without any freeipa permissions assigned to them. They otherwise perform (to external systems) as a normal ldap group.
So, first follow the instructions in the document, including adding the web security user (wsuser, defined in config/ws_client.properties), and the portal proxy user (portal.proxy.user, originally user, but I changed gwuser, defined in config/foundation.properties) to freeipa. Then create the roles. You can use the following ipa commands to create them:
ipa role-add GWAdmin --desc="groundwork admins"
ipa role-add GWOperator --desc="groundwork operators"
ipa role-add GWUser --desc="groundwork users"
ipa role-add GWRoot --desc="groundwork root"
ipa role-add Authenticated --desc="groundwork authenticated users"
Then update the following stanza in josso-1.8.4/lib/josso-gateway-ldap-stores.xml, substituting the appropriate values:
@LDAPSERVER@ = ldap server
@BASEDN@ = base dn of ldap, for example, dc=example,dc=com
@PRINCIPAL@ = user to perform initial bind as
@PRINCPW@ = password of initial bind user
<ldap-istore:ldap-bind-store id="josso-identity-store" initialContextFactory="com.sun.jndi.ldap.LdapCtxFactory" providerUrl="ldap://@LDAPSERVER@" securityPrincipal="uid=@PRINCIPAL@,cn=users,cn=accounts,@BASEDN@" securityCredential="@PRINCPW@" securityAuthentication="simple" ldapSearchScope="SUBTREE" usersCtxDN="cn=users,cn=accounts,@BASEDN@" principalUidAttributeID="uid" uidAttributeID="member" rolesCtxDN="cn=roles,cn=accounts,@BASEDN@" roleAttributeID="cn" userPropertiesQueryString="givenName=firstname,sn=lastname,mail=mail" />
Then restart gwservices using whatever method is for your system (
service groundwork restart gwservices on red hat, for example).