Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1
On Fri, May 12, 2017 at 4:03 PM, wrote: > Yes, kinit works with IPA users. GSSAPI authentication is not keeping it > simple, since we want passwords to work before trying TGS based logins over > GSSAPI. > > The keytab works sinds lsuser is still able to get user data. > (Documentation specifies that enabling krb5 in ldap.cfg makes the bind user > and password moot, secldapclntd uses krb5 to identify itself to IPA) > > > > Also we are able to kinit host/aixlpar.example@example.org -kt > /etc/krb5/krb5.keytab > If your kerberos client works (and it looks like it works as long as you can properly kinit) the only option you have is to check the /var/log/krb5kdc.log on the IPA and /var/log/messages or whatever you have configured in syslog for auth. on the AIX client. > > > We van try using su from an unprivileged user, but su has some different > issues altogether, it doesn’t like @ in usernames which we need at the next > stage (integrating AD Trust) > > > > > > *From:* Iulian Roman [mailto:iulian.ro...@gmail.com] > *Sent:* vrijdag 12 mei 2017 15:56 > *To:* Hummelink, Wouter > *Cc:* luiz.via...@tivit.com.br; freeipa-users@redhat.com > *Subject:* Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 > > > > > > > > On Fri, May 12, 2017 at 3:31 PM, wrote: > > The shell is shown correctly as ksh in lsuser, so that doesnt appear to be > an issue for the ID view. > > > > My advice would be to start simple ,prove that your authentication works > and you can develop a more elaborated setup afterwards. If you combine them > all together it will be a trial and error which eventually will work at > some point. > > Do you have the correct keytabs in /etc/krb5/krb5.keytab ? can you run > kinit (with password and with the keytab) from aix and get a ticket from > Kerberos ? can you su to an IPA account ? do you have GSSAPIAuthentication > enabled in sshd_config ? > > From what you've described i would suspect that your keytab is not correct > , but that should be confirmed only by answering the questions above. > > > > > > > > Verzonden vanaf mijn Samsung-apparaat > > > > Oorspronkelijk bericht > Van: Luiz Fernando Vianna da Silva > Datum: 12-05-17 15:03 (GMT+01:00) > Aan: "Hummelink, Wouter" , > freeipa-users@redhat.com > Onderwerp: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 > > > > Hello Wouter. > > It may seem silly, but try installing bash on one AIX server and test > authenticating against that one. > > Its a single rpm with no dependencies. For me it did the trick and I ended > up doing that on all my AIX servers. > > Let me know how it goes or if you have any issues. > > Best Regards > > *__* > > *Luiz Fernando Vianna da Silva* > > > > Em 12-05-2017 09:47, wouter.hummel...@kpn.com escreveu: > > Hi All, > > > > We’re running a POC to integrate IPA and AIX using AIX KRB5LDAP compound > module. > > All the moving parts seem to be working on their own, however logging in > doesn’t work with SSH on AIX reporting Failed password for user > > > > We’re using ID views to overwrite the user shell and home dirs. (Since AIX > will refuse a login with a nonexisting shell (like bash)) > > AIXs lsuser command is able to find all of the users it’s supposed to and > su to IPA users works. > > Also when a user tries to log in I can see a successful Kerberos > conversation to our IPA server. > > > > Tips for troubleshooting would be much appreciated, increasing SSH log > level did not produce any meaningful logging. > > > > === Configuration Excerpt == > == > > /etc/security/ldap/ldap.cfg: > > ldapservers:ipaserver.example.org > > binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org > > bindpwd:{DESv2} > > authtype:ldap_auth > > useSSL:TLS > > ldapsslkeyf:/etc/security/ldap/example.kdb > > ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8 > 932F219867AA7C2C552A12BEEC0CC67 > > useKRB5:yes > > krbprincipal:host/aixlpar.example.org > > krbkeypath:/etc/krb5/krb5.keytab > > userattrmappath:/etc/security/ldap/2307user.map > > groupattrmappath:/etc/security/ldap/2307group.map > > userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org > > groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org > > netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org > > automountbasedn:cn=default,cn=automount,dc=example,dc=org > > etherbasedn:cn=computers,cn=accounts,dc=example
Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1
On Fri, May 12, 2017 at 3:31 PM, wrote: > The shell is shown correctly as ksh in lsuser, so that doesnt appear to be > an issue for the ID view. > My advice would be to start simple ,prove that your authentication works and you can develop a more elaborated setup afterwards. If you combine them all together it will be a trial and error which eventually will work at some point. Do you have the correct keytabs in /etc/krb5/krb5.keytab ? can you run kinit (with password and with the keytab) from aix and get a ticket from Kerberos ? can you su to an IPA account ? do you have GSSAPIAuthentication enabled in sshd_config ? >From what you've described i would suspect that your keytab is not correct , but that should be confirmed only by answering the questions above. > > > > Verzonden vanaf mijn Samsung-apparaat > > > Oorspronkelijk bericht > Van: Luiz Fernando Vianna da Silva > Datum: 12-05-17 15:03 (GMT+01:00) > Aan: "Hummelink, Wouter" , > freeipa-users@redhat.com > Onderwerp: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 > > Hello Wouter. > > It may seem silly, but try installing bash on one AIX server and test > authenticating against that one. > > Its a single rpm with no dependencies. For me it did the trick and I ended > up doing that on all my AIX servers. > > Let me know how it goes or if you have any issues. > > Best Regards > > *__* > > *Luiz Fernando Vianna da Silva* > > > Em 12-05-2017 09:47, wouter.hummel...@kpn.com escreveu: > > Hi All, > > > > We’re running a POC to integrate IPA and AIX using AIX KRB5LDAP compound > module. > > All the moving parts seem to be working on their own, however logging in > doesn’t work with SSH on AIX reporting Failed password for user > > > > We’re using ID views to overwrite the user shell and home dirs. (Since AIX > will refuse a login with a nonexisting shell (like bash)) > > AIXs lsuser command is able to find all of the users it’s supposed to and > su to IPA users works. > > Also when a user tries to log in I can see a successful Kerberos > conversation to our IPA server. > > > > Tips for troubleshooting would be much appreciated, increasing SSH log > level did not produce any meaningful logging. > > > > === Configuration Excerpt == > == > > /etc/security/ldap/ldap.cfg: > > ldapservers:ipaserver.example.org > > binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org > > bindpwd:{DESv2} > > authtype:ldap_auth > > useSSL:TLS > > ldapsslkeyf:/etc/security/ldap/example.kdb > > ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8 > 932F219867AA7C2C552A12BEEC0CC67 > > useKRB5:yes > > krbprincipal:host/aixlpar.example.org > > krbkeypath:/etc/krb5/krb5.keytab > > userattrmappath:/etc/security/ldap/2307user.map > > groupattrmappath:/etc/security/ldap/2307group.map > > userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org > > groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org > > netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org > > automountbasedn:cn=default,cn=automount,dc=example,dc=org > > etherbasedn:cn=computers,cn=accounts,dc=example,dc=org > > userclasses:posixaccount,account,shadowaccount > > groupclasses:posixgroup > > ldapport:389 > > searchmode:ALL > > defaultentrylocation:LDAP > > > > /etc/security/user default: > > SYSTEM = KRB5LDAP or compat > > */etc/methods.cfg* > > LDAP: > >program = /usr/lib/security/LDAP > >program_64 =/usr/lib/security/LDAP64 > > NIS: > >program = /usr/lib/security/NIS > >program_64 = /usr/lib/security/NIS_64 > > DCE: > >program = /usr/lib/security/DCE > > KRB5: > >program = /usr/lib/security/KRB5 > >program_64 = /usr/lib/security/KRB5_64 > >options = authonly,is_kadmind_compat=no,tgt_verify=yes,kadmind=no, > keep_creds=yes,allow_expired_pwd=no > > > > KRB5LDAP: > >options = auth=KRB5,db=LDAP > > > > > > Met vriendelijke groet, > > Wouter Hummelink > > Technical Consultant - Enterprise Webhosting / Tooling & Automation > > T: +31-6-12882447 <+31%206%2012882447> > > E: wouter.hummel...@kpn.com > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1
On Fri, May 12, 2017 at 2:32 PM, wrote: > Hi All, > > > > We’re running a POC to integrate IPA and AIX using AIX KRB5LDAP compound > module. > > All the moving parts seem to be working on their own, however logging in > doesn’t work with SSH on AIX reporting Failed password for user > > > > We’re using ID views to overwrite the user shell and home dirs. (Since AIX > will refuse a login with a nonexisting shell (like bash)) > Why don't you just use the /bin/sh as default shell in IPA ? In aix /bin/sh is the same as /bin/ksh and in linux it is a symlink to /bin/bash . AIXs lsuser command is able to find all of the users it’s supposed to and > su to IPA users works. > > Also when a user tries to log in I can see a successful Kerberos > conversation to our IPA server. > > > Tips for troubleshooting would be much appreciated, increasing SSH log > level did not produce any meaningful logging. > > > > === Configuration Excerpt == > == > > /etc/security/ldap/ldap.cfg: > > ldapservers:ipaserver.example.org > > binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org > > bindpwd:{DESv2} > > authtype:ldap_auth > > useSSL:TLS > > ldapsslkeyf:/etc/security/ldap/example.kdb > > ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8 > 932F219867AA7C2C552A12BEEC0CC67 > > useKRB5:yes > > krbprincipal:host/aixlpar.example.org > > krbkeypath:/etc/krb5/krb5.keytab > > userattrmappath:/etc/security/ldap/2307user.map > > groupattrmappath:/etc/security/ldap/2307group.map > > userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org > > groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org > > netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org > > automountbasedn:cn=default,cn=automount,dc=example,dc=org > > etherbasedn:cn=computers,cn=accounts,dc=example,dc=org > > userclasses:posixaccount,account,shadowaccount > > groupclasses:posixgroup > > ldapport:389 > > searchmode:ALL > > defaultentrylocation:LDAP > > > > /etc/security/user default: > > SYSTEM = KRB5LDAP or compat > I am using the following settings in in /etc/security/user: SYSTEM = KRB5LDAP registry = KRB5LDAP it works for AIX5,6 and 7 in my setup. > */etc/methods.cfg* > > LDAP: > >program = /usr/lib/security/LDAP > >program_64 =/usr/lib/security/LDAP64 > > NIS: > >program = /usr/lib/security/NIS > >program_64 = /usr/lib/security/NIS_64 > > DCE: > >program = /usr/lib/security/DCE > > KRB5: > >program = /usr/lib/security/KRB5 > >program_64 = /usr/lib/security/KRB5_64 > >options = authonly,is_kadmind_compat=no,tgt_verify=yes,kadmind=no, > keep_creds=yes,allow_expired_pwd=no > > > > KRB5LDAP: > >options = auth=KRB5,db=LDAP > > > > > > Met vriendelijke groet, > > Wouter Hummelink > > Technical Consultant - Enterprise Webhosting / Tooling & Automation > > T: +31-6-12882447 > > E: wouter.hummel...@kpn.com > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa replica between different environments
Hello, is it possible/supported to _clone_ an ipa setup between different environments , disconnect the replicas and use them independently (ex. clone ST to ET and use them as separate IPA servers for ST respective ET clients ? ) or does the disconnect remove the data ? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa-getkeytab client equivalent for Unix
Hello, Can anybody explain briefly what ipa-getkeytab runs under the hood in order to use similar logic for unix clients (will help in automating the registration to IPA server) ? Thank You ! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] staging area and group membership
Hello, Is it possible to directly add a user to certain groups when the user is defined in staging area ? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ldap connector from IIQ to ipa
Hello, We do plan to integrate IPA with IdentityIQ (sailpoint) for user provisioning. Because IPA does abstract all the ldap commands via new set of commands and APIs, i am not sure if the standard ldap connector is the right option and if it is supported ( taking into consideration that a simple user creation does update/create more ldap containers). Could you please clarify if updating IPA via standard ldap commands is supported but not necessarily a best practice or it is an absolute NO ? Thank You ! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] compat and nested groups for Unix system
On Mon, Mar 20, 2017 at 4:24 PM, Alexander Bokovoy wrote: > On ma, 20 maalis 2017, Iulian Roman wrote: > >> On Mon, Mar 20, 2017 at 4:00 PM, Alexander Bokovoy >> wrote: >> >> On ma, 20 maalis 2017, Iulian Roman wrote: >>> >>> Hello, >>>> >>>> I noticed that nested group feature do not work with the unix ldap >>>> clients >>>> (AIX) if the default groupbasedn (cn=groups,cn=accounts,dc=...) is used. >>>> If >>>> i use the cn=compat and change the mapping the nested groups are listed >>>> properly. >>>> >>>> Compat tree implements RFC2307 schema which doesn't have nested groups. >>> >>> Correct, but although the groups under the compat tree do not have the >> nestedgroup object class attribute, whenever i change the group membership >> via WEB UI, the compat tree group membership is automatically updated (new >> memberUid is added). What i've done was a sort of workaround and map the >> AIX groups attribute to the memberUid which seems to work properly. >> > memberUid is uidNumber of corresponding user, not a group identifier. > Perhaps, you are trying to explain something else? > Ok, maybe i have to explain it more clearly as it was confusing: in order to get the user list attribute for an ldap group in AIX , you use some .map files, which map the ldap attributes to the AIX attributes. For the 2307schema, to get the user list of a group you have to map the AIX *_users_ *attribute to the _memberuid_ ldap attribute. For compat tree, in the file ipagroup.map i've mapped the AIX _users_ attribute to the _memberuid_ ipa/ldap attribute and therefore i have the list of the users for that particular group. Having the user list which are members to a group translates to having the group list of the users (if we invert the logic). Does that make more sense now ? > > Main tree in FreeIPA uses RFC2307bis schema which supports nested >>> groups. >>> >>> Any plans to support RFC2307AIX schema ? >> > No. > > >> On AIX, IBM officially supports only AIX, RFC2307, and RFC2307AIX >>> schemas. AIX's automounter does support RFC2307bis automount maps but >>> the rest of the system does not support RFC2307bis. In particular, AIX >>> does not understand member attribute dereference. >>> >>> >>> My question is if it is allowed to mix the compat and accounts cn for the >>> >>>> userbasedn and groupbasedn on the same unix ldap client ? >>>> >>>> No, not really. You are messing it up something that your client >>> does not understand. >>> >>> As i explained above, i could use the basic attributes in the compat tree >> for groups in order to update the AIX "groups" attribute (based on >> memberuid list). Is there anything which can break the functionality if >> the >> compat tree is used instead of the main/accounts tree or it is a >> fortunate >> coincidence that this setup works ? >> > Why you don't use compat tree for both users and groups in AIX? This is > how it was designed to be used. > Actually the compat tree was the default one configured by the ldap client, but checking the ldap structure seemed more logical to use the default ipa ldap tree which is used as well for Linux. Moreover i did not understood what is exactly the purpose of the compat tree and i was quite confused . Apart from that i missed some krb* related attributes for the user, but probably i have to re-evaluate that and use compat tree for both users and groups, if that's what it was designed for. > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] compat and nested groups for Unix system
On Mon, Mar 20, 2017 at 4:00 PM, Alexander Bokovoy wrote: > On ma, 20 maalis 2017, Iulian Roman wrote: > >> Hello, >> >> I noticed that nested group feature do not work with the unix ldap clients >> (AIX) if the default groupbasedn (cn=groups,cn=accounts,dc=...) is used. >> If >> i use the cn=compat and change the mapping the nested groups are listed >> properly. >> > Compat tree implements RFC2307 schema which doesn't have nested groups. > Correct, but although the groups under the compat tree do not have the nestedgroup object class attribute, whenever i change the group membership via WEB UI, the compat tree group membership is automatically updated (new memberUid is added). What i've done was a sort of workaround and map the AIX groups attribute to the memberUid which seems to work properly. > Main tree in FreeIPA uses RFC2307bis schema which supports nested > groups. > > Any plans to support RFC2307AIX schema ? > On AIX, IBM officially supports only AIX, RFC2307, and RFC2307AIX > schemas. AIX's automounter does support RFC2307bis automount maps but > the rest of the system does not support RFC2307bis. In particular, AIX > does not understand member attribute dereference. > > > My question is if it is allowed to mix the compat and accounts cn for the >> userbasedn and groupbasedn on the same unix ldap client ? >> > No, not really. You are messing it up something that your client > does not understand. > As i explained above, i could use the basic attributes in the compat tree for groups in order to update the AIX "groups" attribute (based on memberuid list). Is there anything which can break the functionality if the compat tree is used instead of the main/accounts tree or it is a fortunate coincidence that this setup works ? > > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] compat and nested groups for Unix system
Hello, I noticed that nested group feature do not work with the unix ldap clients (AIX) if the default groupbasedn (cn=groups,cn=accounts,dc=...) is used. If i use the cn=compat and change the mapping the nested groups are listed properly. My question is if it is allowed to mix the compat and accounts cn for the userbasedn and groupbasedn on the same unix ldap client ? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] pam_hbac for aix
On Mon, Mar 6, 2017 at 12:20 PM, Jakub Hrozek wrote: > On Mon, Mar 06, 2017 at 10:59:12AM +0100, Iulian Roman wrote: > > Hello, > > > > Does anyone know what is the status with the support for AIX in the > > pam_hbac tool ? I've heard from a RH presentation that it is available, > > although on the project site it does not seem to be supported yet. > > > > I would like to know if there are any plans in that direction , because > > our migrations of thousands of AIX machines to IPA is conditioned by the > > availability of pam_hbac. The HBAC rules/policy design depends as well > on > > the method you use to parse the rules. > > It's in progress, but delayed due to the current work we are doing for > RHEL-7.4. I've merged HP-UX support a couple of weeks ago and AIX > support is next on the list. > > Any chance we can prioritize that by creating an RFE ? We have quite a big environment and it would simplify a lot the access control if we can make use of pam_hbac. > If you'd like to help with the port, any help is appreciated :-) > > I am willing to , at least with testing it on different OS versions. If there is anything else i can do , please let me know. > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] pam_hbac for aix
Hello, Does anyone know what is the status with the support for AIX in the pam_hbac tool ? I've heard from a RH presentation that it is available, although on the project site it does not seem to be supported yet. I would like to know if there are any plans in that direction , because our migrations of thousands of AIX machines to IPA is conditioned by the availability of pam_hbac. The HBAC rules/policy design depends as well on the method you use to parse the rules. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] WEB UI - wrong fonts or incomplete page loaded
On Fri, Feb 24, 2017 at 5:41 PM, Petr Vobornik wrote: > On 02/24/2017 05:13 PM, Iulian Roman wrote: > >> >> >> On Fri, Feb 24, 2017 at 4:55 PM, Petr Vobornik > <mailto:pvobo...@redhat.com>> wrote: >> >> On 02/24/2017 12:15 PM, Iulian Roman wrote: >> >> Hello, >> >> After a successful installation of the ipa-server when i try to >> login >> via WEB UI >> i've noticed that the web page looks strange (wrong fonts and >> page seems not >> completely/correctly loaded). >> >> >> >> The network debugger in chrome/firefox does >> >> >> So it won't be browser or extension related. The only possibility is >> to have >> same extension on both browsers. >> >> display 2 errors : >> >> - json /ipa/session/ 401 Unauthorized >> >> >> This is expected. >> >> - login _kerberos?=... net::ERR_ACCESS_DENIED >> >> >> This one should return also "401 Unauthorized" if you don't have SSO >> configured on browser or SSO(kerberos) ticket. >> >> net::ERR_ACCESS_DENIED indicates something wrong. Maybe some other >> software >> interferes in the communication with server. >> >> What OS it is? Could there be an overzealous antivirus (the web check >> part). Or maybe a custom proxy setting? >> >> >> it behaves the same from all browsers (firefox,chrome) and from both >> Linux and >> windows. i do use proxy, but trying with the firefox directly from the ipa >> server - therefore without proxy - does have the same result. >> >> >> >> I do not intend to use SSO for login into WEBUI (although it is >> the >> default in >> the ipa version i am using) but apparently a supported method to >> disable it is >> not known. >> >> >> Right, it is not currently possible. I've opened RFE ticket. >> https://fedorahosted.org/freeipa/ticket/6709 >> <https://fedorahosted.org/freeipa/ticket/6709> Please comment if you >> use >> case is different than the proposed user story. >> >> I can login with user and password but the WEB UI is almost >> unusable >> because of wrongly loaded page . >> >> >> I wonder if something did not temper in the loaded files. If all >> files are >> loaded correctly and if it is fresh install(to mitigate possibility >> of old >> cache) then it is weird. Maybe it is the antivirus. >> >> i wonder too. the strange thing is that from the same browser i can access >> properly a different ipa server (which i've configured some time ago). >> >> >> Do you have some Web UI plugin installed on IPA server? >> >> >> it is default installation. How can i check which plugins are installed ? >> > > > Plugins are in /usr/share/ipa/ui/js/plugins/ if the directory is empty > then there is no plugin. > > i've just checked and there are no plugins installed. > But plugin would not cause: > login _kerberos?=... net::ERR_ACCESS_DENIED indeed, but what would cause that ? it quite strange and i am almost clueless. i try to narrow it down and in my opinion the issues is most probably on the server side, but i have no evidence for that so far. > > > >> >> >> >> >> Did anyone experience the same issue and is there any >> fix/solution for >> that ? >> >> >> >> -- >> Petr Vobornik >> >> Associate Manager, Engineering, Identity Management >> Red Hat, Inc. >> >> >> > > -- > Petr Vobornik > > Associate Manager, Engineering, Identity Management > Red Hat, Inc. > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] WEB UI - wrong fonts or incomplete page loaded
On Fri, Feb 24, 2017 at 4:55 PM, Petr Vobornik wrote: > On 02/24/2017 12:15 PM, Iulian Roman wrote: > >> Hello, >> >> After a successful installation of the ipa-server when i try to login via >> WEB UI >> i've noticed that the web page looks strange (wrong fonts and page seems >> not >> completely/correctly loaded). >> > > > The network debugger in chrome/firefox does >> > > So it won't be browser or extension related. The only possibility is to > have same extension on both browsers. > > display 2 errors : >> >> - json /ipa/session/ 401 Unauthorized >> > > This is expected. > > - login _kerberos?=... net::ERR_ACCESS_DENIED >> > > This one should return also "401 Unauthorized" if you don't have SSO > configured on browser or SSO(kerberos) ticket. > > net::ERR_ACCESS_DENIED indicates something wrong. Maybe some other > software interferes in the communication with server. > > What OS it is? Could there be an overzealous antivirus (the web check > part). Or maybe a custom proxy setting? > it behaves the same from all browsers (firefox,chrome) and from both Linux and windows. i do use proxy, but trying with the firefox directly from the ipa server - therefore without proxy - does have the same result. > > >> I do not intend to use SSO for login into WEBUI (although it is the >> default in >> the ipa version i am using) but apparently a supported method to >> disable it is >> not known. >> > > Right, it is not currently possible. I've opened RFE ticket. > https://fedorahosted.org/freeipa/ticket/6709 Please comment if you use > case is different than the proposed user story. > > I can login with user and password but the WEB UI is almost unusable >> because of wrongly loaded page . >> > > I wonder if something did not temper in the loaded files. If all files are > loaded correctly and if it is fresh install(to mitigate possibility of old > cache) then it is weird. Maybe it is the antivirus. > i wonder too. the strange thing is that from the same browser i can access properly a different ipa server (which i've configured some time ago). > > Do you have some Web UI plugin installed on IPA server? it is default installation. How can i check which plugins are installed ? > > > >> >> Did anyone experience the same issue and is there any fix/solution for >> that ? >> >> > > -- > Petr Vobornik > > Associate Manager, Engineering, Identity Management > Red Hat, Inc. > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] WEB UI - wrong fonts or incomplete page loaded
Hello, After a successful installation of the ipa-server when i try to login via WEB UI i've noticed that the web page looks strange (wrong fonts and page seems not completely/correctly loaded). The network debugger in chrome/firefox does display 2 errors : - json /ipa/session/ 401 Unauthorized - login _kerberos?=... net::ERR_ACCESS_DENIED I do not intend to use SSO for login into WEBUI (although it is the default in the ipa version i am using) but apparently a supported method to disable it is not known. I can login with user and password but the WEB UI is almost unusable because of wrongly loaded page . Did anyone experience the same issue and is there any fix/solution for that ? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] integrated DNS vs external DNS
Despite reading the freeipa and Redhat IdM documentation regarding the DNS , it is still unclear to me if and when is integrated DNS mandatory . We do have an environment with a pretty complex DNS setup , which is in place for years and there are no plans to change it. if i understood correctly from the documentation , integrated DNS is mandatory for configuring AD trust. is that correct ? Can the integrated DNS be configured as forward only ? Do the clients need to have IPA DNS as a resolver or they can just use existing DNS server ? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] support for rfc2307AIX schema in IPA server
On Wed, Feb 22, 2017 at 9:02 PM, Michael Ströder wrote: > Iulian Roman wrote: > > On Wed, Feb 22, 2017 at 6:03 PM, Michael Ströder > <mailto:mich...@stroeder.com>> wrote: > > > > Iulian Roman wrote: > > > On Tue, Feb 21, 2017 at 4:31 PM, Rob Crittenden < > rcrit...@redhat.com <mailto:rcrit...@redhat.com> > > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote: > > > > > > Iulian Roman wrote: > > > > Does anybody know if the rfc2307aix schema is supported in > IPA server > > > > > > No, it isn't supported (it's the first I've ever heard of it). > Looking > > > at the schema I doubt it is something that would ever be fully > supported. > > > > > > is there any possibility to extend the existing schema with > additional > > > attributes/object > > > > Do you really use this specific AIX schema? > > If yes, which attributes for which purpose? > > > > I do need the aixAuxAccount and aixAuxGroup object classes . they > implement some > > password restrictions needed for security/compliance > > Password policy is something best enforced centrally in the authentication > server and > password management system. So IMHO this serves as perfect example for > proprietary > attributes you won't need. > > How is authentication done? SSH keys, Kerberos, LDAP simple bind? > Kerberos > > + some other security related attributes. > > Personally i do not consider them a must - they are rather some nice to > have features - > > but i have to migrate an environment which does use them. And i would > like as well to > > make the migration as transparent as possible (therefore without > "missing features"). > > Is the existing environment also an LDAP server with this particular AIX > schema? > no, it is a custom/legacy solution wich does not use LDAP but local accounts which are centrally managed. > Or are you trying to follow a migration path to LDAP suggested by IBM docs? > > no, i've adapted some freeipa document which describes the client setup for aix (in original form it does not work and it needed some modifications) , but i have to admit that the documentation for integrating unix clients is poor and incomplete . IBM does recommend TDS, which integrates seamlessly with both AIX and Linux clients + other features which should help in integrating in heterogeneous environment, but i am not evaluating that solution currently (i may look into it only if i cannot integrate it with IPA in the way i want). > Being in your position I'd first compile a list of functional and security > requirements > and ask then whether these requirements can be implemented with FreeIPA. > I'm curious to > learn whether "some other security related attributes" are still needed > after all. > > all the password restriction policies (minage, maxage, number of characters in the password, history of the old passwords, number of characters, password dictionaries , etc) , loginretries - which "locks" the account after a number of unsuccessful logins , hostsallow/deny login , all the ulimit related parameters (that can probably be ignored) . It is not a matter if they increase the security or not or if they are really needed, but a matter of complying to some security standards agreed between two parties . It would be easy to keep them in the same format than to change the security standard , tooling and processes behind (bureaucracy , overhead and complexity of the enterprise environment makes me try to avoid that as much as possible , especially when there are many people and departments involved , with their own mindset and playing different politics). Ciao, Michael. > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] support for rfc2307AIX schema in IPA server
On Wed, Feb 22, 2017 at 6:03 PM, Michael Ströder wrote: > Iulian Roman wrote: > > On Tue, Feb 21, 2017 at 4:31 PM, Rob Crittenden > <mailto:rcrit...@redhat.com>> wrote: > > > > Iulian Roman wrote: > > > Hello, > > > > > > Does anybody know if the rfc2307aix schema is supported in IPA > server (i > > > use red hat IDM version) ? If yes, is there any documentation > available > > > ? Was it tested ? > > > > No, it isn't supported (it's the first I've ever heard of it). > Looking > > at the schema I doubt it is something that would ever be fully > supported. > > > > is there any possibility to extend the existing schema with additional > > attributes/object > > Do you really use this specific AIX schema? > If yes, which attributes for which purpose? > > I do need the aixAuxAccount and aixAuxGroup object classes . they implement some password restrictions needed for security/compliance + some other security related attributes. Personally i do not consider them a must - they are rather some nice to have features - but i have to migrate an environment which does use them. And i would like as well to make the migration as transparent as possible (therefore without "missing features"). > Last time I've checked this schema when integrating AIX clients my > conclusion was that > this schema is rather useless and proprietary bloat. > > Ciao, Michael. > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] support for rfc2307AIX schema in IPA server
On Tue, Feb 21, 2017 at 4:31 PM, Rob Crittenden wrote: > Iulian Roman wrote: > > Hello, > > > > Does anybody know if the rfc2307aix schema is supported in IPA server (i > > use red hat IDM version) ? If yes, is there any documentation available > > ? Was it tested ? > > No, it isn't supported (it's the first I've ever heard of it). Looking > at the schema I doubt it is something that would ever be fully supported. > > is there any possibility to extend the existing schema with additional attributes/object classes ? IPA integrates seamless in the Linux environment and it would be nice to make that possible also for the Unix environment. Enterprise environment is quite heterogeneous and a solution which would facilitate the consolidation of authentication and authorization methods is still something many companies are looking for. There are different solutions for different platforms , with different features, but none which can be used cross platform. I hope IPA will try to bridge this gap in the near future. rob > > > > > I plan for a big migration and full support of the AIX user attributes > > is one of the prerequisites. > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] support for rfc2307AIX schema in IPA server
Hello, Does anybody know if the rfc2307aix schema is supported in IPA server (i use red hat IDM version) ? If yes, is there any documentation available ? Was it tested ? I plan for a big migration and full support of the AIX user attributes is one of the prerequisites. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project