[Freeipa-users] Re: Certmonger spawns many processes, causing huge load due to swapping

[Jonathan Vaughn via FreeIPA-users]

Well I've come up with a multi-pronged solution, after much
experimentation, that keeps load in the single digits throughout the entire
certmonger startup process.

First, I've learned more about zram swap, namely that the size
specification is not the physical ram used but the virtual swap size
created. From observation I've found a ~2.8:1 savings in memory between the
compression ratio of pages and duplicate pages not being stored multiple
times, when running FreeIPA and certmonger is consuming memory with forked
processes. So while the swap usage peaked at ~1.3GB the physical memory
usage of the swap was only ~462MB. This is important because it means I can
use more zram swap and avoid using a swapfile on the SD card entirely.
However, Fedora's zram swap configuration method by default doesn't allow
you to configure a swap size larger than physical memory as it's expecting
you to provide a factor X which it then uses to allocate 1/X memory to zram
swap, and due to it using BASH scripting math you can't specify decimals
(i.e. 0.5). So I copied the zram startupt script to /opt and changed it to
use a different config parameter that directly specifies memory size, and
used 'systemctl edit zram-swap.service' to override the ShellExec for it to
use the modified script, allowing me to allocate a 2GB zram swap.

'systemctl edit zram-swap' :
[Service]
ExecStart=
ExecStart=/opt/zramstart

Diff of /opt/zramstart
# diff -bB /usr/sbin/zramstart /opt/zramstart
14a15
> [ -z "$SIZE" ] || zram_size=$SIZE


Second, I used 'systemctl edit certmonger.service' to modify Certmonger's
service file to specify CPUQuota to prevent it from clobbering all the
other normal processes when it fork bombs:
[Service]
CPUQuota=20%

Third, I disabled the certmonger service so it doesn't auto-start at boot
and instead created a systemd timer certmonger.timer that starts it after 5
minutes after boot to allow everything else to start up first before it
gets hammered:
[Unit]
Description=Run certmonger after boot settles down

[Timer]
OnBootSec=5min

[Install]
WantedBy=timers.target

All of these changes *should* survive any system updates as well since no
systemd or similar files were edited directly, so that's an added bonus of
not having to remember to re-tweak things after an update.

With all of the above changes, I'm able to boot, FreeIPA services all start
as normal (except certmonger), then a few minutes later certmonger starts,
and load never goes above 10, mostly around 5, until certmonger's forked
processes all finish up finally. It takes about an hour, but that's ~2x
faster than letting it try to complete with no CPU Quota (even with the
modified zram swap - and without it, it simply runs out of memory if I
don't have additional swapfile which kills performance even more) as load
gets over 40 in short order and the system becomes mostly unresponsive.

Even during certmonger startup, DNS/LDAP/etc are responsive and thus the Pi
is usable for our purposes as a local replica to ensure that offices that
lack a full fat FreeIPA installation on real server hardware won't become
useless if their VPN connection to a site that does have a full
installation goes down. Ensuring local redundancy so regular that work can
continue as normal if there's a network outage is the goal of using the Pi
after all, and thus the desired result has been achieved after some
tinkering.

On Thu, May 16, 2019 at 5:37 PM Jonathan Vaughn 
wrote:

> The many certmonger processes exceed the available RAM (Pi 3 having 1GB)
> by a wide margin and cause heavy swapping as they all try to run at once,
> and the heavy swapping itself is the reason load gets so high. If it was
> one at a time they might still encounter some swapping (or might not, but
> it should be doable with just zram swap instead of needing physical swap,
> which would mean minimal load hit). I don't know if they wait on a lock at
> some point, but they're definitely all kicking off at nearly the same time
> and even if they end up pausing when they reach a certain point the system
> spends a long time swapping constantly trying to load all of the processes
> into memory at once.
>
> I haven't timed it but it takes at least double digit minutes for load to
> recover from 30+ to a "normal" load of less than 5 (at idle, with the other
> non-CA FreeIPA services running, and minimal activity, load is around 4 +-
> a bit).
>
> If we can't find a solution to tame certmonger's behavior I am considering
> just scheduling certmonger to run once a day or week or whatever at a
> preset time outside the normal operating hours for the office that the Pi
> happens to be located in, which would at least reduce the impact to just
> being very annoying.
>
> On Wed, May 15, 2019 at 9:00 PM Fraser Tweedale 
> wrote:
>
>> On Wed, May 15, 2019 at 05:15:38PM -0400, Rob Crittenden via
>> FreeIPA-users wrote:
>> > Jonathan Vaughn via FreeIPA-users wrote:
>> > > I previously had tested FreeIPA running on a Raspberry Pi 3B+ 

[Freeipa-users] Re: Mapping freeipa's groups over AD

[LUCAS GUILHERME DIEDRICH via FreeIPA-users]

Actually, i think there should be someway to sync everything to AD 
programatically, as i have more than 10k users, 390 groups, 1400 linux hosts 
using sssd i can't migrate my environment to AD as primary data, than i should 
by MS cal licenses also. This is a mess, i'll look for a workaround somehow. 

Thanks for the help guys.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: secure freeipa exposed to internet

[John Keates via FreeIPA-users]

You don’t need to setup a DNS server or Route 53 Zone, you can use the 
route53resolver. It allows a conditional forwarder for any domain you wish and 
you can point it straight at an IPA DNS server.
It’s built in to AWS: 
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-getting-started.html
 

 + https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html 

 (Announcment: 
https://aws.amazon.com/blogs/aws/new-amazon-route-53-resolver-for-hybrid-clouds/
 

 ) and works great with IPA and even MS AD.

John

> On 23 May 2019, at 18:53, Stepan Vardanyan via FreeIPA-users 
>  wrote:
> 
> After a lot of replies I see that using VPN tunnels to reach servers is the 
> best option.
> 
> But, there is DNS issue also. 
> I see two options with private zone (both are unwanted for us):
> - set up DNS forwarding to our private DNS server in each AWS account (using 
> bind9 for example);
> - create in Route53 zone with exact same domain name and populate it with 
> actual SRV records (this one is pretty ugly).
> So, what about using public DNS domain in FreeIPA (say ipa.example.com)?
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: secure freeipa exposed to internet

[Stepan Vardanyan via FreeIPA-users]

After a lot of replies I see that using VPN tunnels to reach servers is the 
best option.

But, there is DNS issue also. 
I see two options with private zone (both are unwanted for us):
- set up DNS forwarding to our private DNS server in each AWS account (using 
bind9 for example);
- create in Route53 zone with exact same domain name and populate it with 
actual SRV records (this one is pretty ugly).
So, what about using public DNS domain in FreeIPA (say ipa.example.com)?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Mapping freeipa's groups over AD

[Kristian Petersen via FreeIPA-users]

The only option right now is a cross-forest trust with AD where AD is the
primary data store for users and groups.

On Thu, May 23, 2019 at 7:36 AM LUCAS GUILHERME DIEDRICH via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Yes, it would be awesome, as i use Freeipa as the responsible for handling
> user and groups information, it would be nice to trust this to AD ad i just
> want to use it to authentication.
>
> What should be the workaround about this? sync users and groups to AD?
>
> Thanks.
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>


-- 
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

[Sumit Bose via FreeIPA-users]

On Thu, May 23, 2019 at 04:17:08PM +0100, lejeczek via FreeIPA-users wrote:
> On 23/05/2019 14:56, Rob Crittenden wrote:
> > lejeczek via FreeIPA-users wrote:
> >> hi guys,
> >>
> >> reading official guide one may assume - I do - that "Using SSH Without
> >> Passwords" should work out-of-box (centos 7.6) - is such assumption valid?
> >>
> >> For me this does not work - ssh still asks for passwords.
> >>
> >> If this is due to some failure/problem, then where to look and how to
> >> troubleshoot?
> > It's hard to know what you're doing, ssh from where to where, using what?
> >
> > rob
> 
> I made an assumption - which I see now was invalid - that some experts
> may know mentioned guide by heart and if I quoted something then the
> rest will be obvious - wrong, sorry.
> 
> "Using SSH Without Passwords" is a paragraph of "Using SSH from Active
> Directory Machines for IdM Resources" which is about Kerberos I understand.
> 
> My hope was to have AD's clients be able to ssh(and maybe get to other
> things like Samba) without password and with Kerberos.
> 
> I see IPA's users can do that between IPA's servers
> 
> ...
> 
> debug1: PAM: initializing for "tester1"
> debug1: PAM: setting PAM_RHOST to "ceb-ipa2.private"
> debug1: PAM: setting PAM_TTY to "ssh"
> debug1: userauth-request for user tester1 service ssh-connection method
> gssapi-with-mic [preauth]
> debug1: attempt 1 failures 0 [preauth]
> Postponed gssapi-with-mic for tester1 from 10.5.5.66 port 43604 ssh2
> [preauth]
> debug1: Got no client credentials
> debug1: ssh_gssapi_k5login_exists: Checking existence of file
> /home/tester1/.k5login
> Authorized to tester1, krb5 principal tester1@private
> (ssh_gssapi_krb5_cmdok)
> debug1: do_pam_account: called
> Accepted gssapi-with-mic for tester1 from 10.5.5.66 port 43604 ssh2
> ...
> 
> But a Win10Pro which is AD member which I'm trying, when ssh as AD's
> user then I do not see above in the logs and such ssh(Win10 own feature)
> is asked for password.
> 
> To sum up: AD's users off/from Win AD win-stations to IPA's
> members/clients with Kerberos if possible. (trust is already established
> and running)

Hi,

having a trust is the first requirement. Second is a ssh client on the
Windows side which can do GSSAPI authentication (recent version of putty
can) and has GSSAPI authentication enabled (iirc this is not the default
for putty, so you have to switch it on manually). Next is that you have
to use the fully-qualified DNS name of the IPA client you want to login
to. If all this is set and authentication still falls back to ask for a
password plase check with the klist command on the Windows client in
command.exe or the Powershell if you already got a service ticket for
the IPA client. If this is missing please check if there is a
cross-realm ticket, it has a principal starting with 'krbtgt/' followed
by the IPA realm, an '@' sign and the AD realm. If this is missing as
well the issue is on the AD side and the client either does not try
GSSAPI at all or it does not get a cross-realm ticket from the local DC.

HTH

bye,
Sumit

> 
> many thanks, L.
> 
> 
> 

> pub   rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17]
>   93059F2411D0769A85F455918ABF21224EBA
> uid   lejeczek 
> sub   rsa2048 2019-01-17 [E] [verfällt: 2020-01-17]

> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Login to Web UI

[Markus Roth via FreeIPA-users]

Hi Striker,

the output of error_log when trying to login is:

[Wed May 22 22:43:50.791861 2019] [wsgi:error] [pid 21731:tid 2937889584] 
[remote 192.168.1.22:43548] ipa: DEBUG: Starting new HTTP connection (1): 
ipa3.roth.net:80
[Wed May 22 22:43:50.807169 2019] [wsgi:error] [pid 21731:tid 2937889584] 
[remote 192.168.1.22:43548] ipa: DEBUG: http://ipa3.roth.net:80 "GET 
/ipa/session/cookie HTTP/1.1" 301 250
[Wed May 22 22:43:50.835158 2019] [wsgi:error] [pid 21731:tid 2937889584] 
[remote 192.168.1.22:43548] ipa: DEBUG: Starting new HTTPS connection (1): 
ipa3.roth.net:443
[Wed May 22 22:43:50.959893 2019] [wsgi:error] [pid 21731:tid 2937889584] 
[remote 192.168.178.:43548] ipa: DEBUG: https://ipa3.roth.net:443 "GET 
/ipa/session/cookie HTTP/1.1" 200 0
[Wed May 22 22:43:51.040332 2019] [wsgi:error] [pid 21730:tid 2937889584] 
[remote 192.168.1.22:43548] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
[Wed May 22 22:43:51.042095 2019] [wsgi:error] [pid 21730:tid 2937889584] 
[remote 192.168.1.22:43548] ipa: DEBUG: WSGI jsonserver_session.__call__:
[Wed May 22 22:43:51.043798 2019] [wsgi:error] [pid 21730:tid 2937889584] 
[remote 192.168.1.22:43548] ipa: DEBUG: no ccache, need login
[Wed May 22 22:43:51.046018 2019] [wsgi:error] [pid 21730:tid 2937889584] 
[remote 192.168.1.22:43548] ipa: DEBUG: 401 Unauthorized need login
[Wed May 22 22:43:51.086133 2019] [wsgi:error] [pid 21731:tid 2937889584] 
[remote 192.168.1.22:43548] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
[Wed May 22 22:43:51.088151 2019] [wsgi:error] [pid 21731:tid 2937889584] 
[remote 192.168.1.22:43548] ipa: DEBUG: WSGI KerberosLogin.__call__:
[Wed May 22 22:43:51.089993 2019] [wsgi:error] [pid 21731:tid 2937889584] 
[remote 192.168.1.22:43548] ipa: DEBUG: no ccache, need login
[Wed May 22 22:43:51.092056 2019] [wsgi:error] [pid 21731:tid 2937889584] 
[remote 192.168.1.22:43548] ipa: DEBUG: 401 Unauthorized need login
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

[lejeczek via FreeIPA-users]

On 23/05/2019 14:56, Rob Crittenden wrote:
> lejeczek via FreeIPA-users wrote:
>> hi guys,
>>
>> reading official guide one may assume - I do - that "Using SSH Without
>> Passwords" should work out-of-box (centos 7.6) - is such assumption valid?
>>
>> For me this does not work - ssh still asks for passwords.
>>
>> If this is due to some failure/problem, then where to look and how to
>> troubleshoot?
> It's hard to know what you're doing, ssh from where to where, using what?
>
> rob

I made an assumption - which I see now was invalid - that some experts
may know mentioned guide by heart and if I quoted something then the
rest will be obvious - wrong, sorry.

"Using SSH Without Passwords" is a paragraph of "Using SSH from Active
Directory Machines for IdM Resources" which is about Kerberos I understand.

My hope was to have AD's clients be able to ssh(and maybe get to other
things like Samba) without password and with Kerberos.

I see IPA's users can do that between IPA's servers

...

debug1: PAM: initializing for "tester1"
debug1: PAM: setting PAM_RHOST to "ceb-ipa2.private"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user tester1 service ssh-connection method
gssapi-with-mic [preauth]
debug1: attempt 1 failures 0 [preauth]
Postponed gssapi-with-mic for tester1 from 10.5.5.66 port 43604 ssh2
[preauth]
debug1: Got no client credentials
debug1: ssh_gssapi_k5login_exists: Checking existence of file
/home/tester1/.k5login
Authorized to tester1, krb5 principal tester1@private
(ssh_gssapi_krb5_cmdok)
debug1: do_pam_account: called
Accepted gssapi-with-mic for tester1 from 10.5.5.66 port 43604 ssh2
...

But a Win10Pro which is AD member which I'm trying, when ssh as AD's
user then I do not see above in the logs and such ssh(Win10 own feature)
is asked for password.

To sum up: AD's users off/from Win AD win-stations to IPA's
members/clients with Kerberos if possible. (trust is already established
and running)

many thanks, L.





pEpkey.asc
Description: application/pgp-keys
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

[Angus Clarke via FreeIPA-users]

I suspect OP is enquiring about ssh keys.

You need to tell your SSH client about your SSH private key (keep it safe) and 
paste the public component of your key pair into the SSH key field in the 
FreeIPA web admin screen for the user (the field is about a third of the way 
down the screen on the right.)

Each user needs their own SSH key pairs, they can be generated by running:

ssh-keygen

use -t to specify the type of key to create (ed25519 is the latest and greatest 
but not supported on systems prior to Centos 7.3 or thereabouts, if in doubt 
specify "dsa")

Regards
Angus

> On 23 May 2019 at 15:56 Rob Crittenden via FreeIPA-users 
>  wrote:
> 
> 
> lejeczek via FreeIPA-users wrote:
> > hi guys,
> > 
> > reading official guide one may assume - I do - that "Using SSH Without
> > Passwords" should work out-of-box (centos 7.6) - is such assumption valid?
> > 
> > For me this does not work - ssh still asks for passwords.
> > 
> > If this is due to some failure/problem, then where to look and how to
> > troubleshoot?
> It's hard to know what you're doing, ssh from where to where, using what?
> 
> rob
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

[Rob Crittenden via FreeIPA-users]

lejeczek via FreeIPA-users wrote:
> hi guys,
> 
> reading official guide one may assume - I do - that "Using SSH Without
> Passwords" should work out-of-box (centos 7.6) - is such assumption valid?
> 
> For me this does not work - ssh still asks for passwords.
> 
> If this is due to some failure/problem, then where to look and how to
> troubleshoot?
It's hard to know what you're doing, ssh from where to where, using what?

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Windows Integration - Using SSH Without Passwords

[lejeczek via FreeIPA-users]

hi guys,

reading official guide one may assume - I do - that "Using SSH Without
Passwords" should work out-of-box (centos 7.6) - is such assumption valid?

For me this does not work - ssh still asks for passwords.

If this is due to some failure/problem, then where to look and how to
troubleshoot?

many thanks, L.



pEpkey.asc
Description: application/pgp-keys
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Mapping freeipa's groups over AD

[LUCAS GUILHERME DIEDRICH via FreeIPA-users]

Yes, it would be awesome, as i use Freeipa as the responsible for handling user 
and groups information, it would be nice to trust this to AD ad i just want to 
use it to authentication. 

What should be the workaround about this? sync users and groups to AD?

Thanks.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: secure freeipa exposed to internet

[John Keates via FreeIPA-users]

That’s mostly for general redundancy and speed. Speed is both for load 
balancing and querying local servers first.
Say you don’t talk to IPA often and your cross-continental latency isn’t an 
issue, then running 1 server in Iceland would fit.

For us, the redundancy part is relatively important because our sites and DCs 
have to be able to run independently. We don’t want an issue in one DC or AWS 
account to affect another.
This way, we could have 9 out of 10 systems fail and still have a fast and 
reliable system. So far we had some cross connects fail, some undersea fibers 
broken and a few key expiration issues cause inter-DC connectivity issues, but 
it never caused and service interruption. Total cost of running multiple 
instances is negligible as long as you have a reasonable amount of automation 
in place, or as we could say: cattle, not pets.

John

> On 23 May 2019, at 09:11, Angus Clarke via FreeIPA-users 
>  wrote:
> 
> Hello
> 
> Best practises say to deploy 2 - 3 IPA server per site (Deployment 
> Recommendations) however I've never really understood why. We run 2 IPA 
> servers in each of our primary DCs and then connect our smaller remote sites 
> to those IPA servers over IPSEC VPNs. For example, IPA clients in a small 
> site in Italy connect to an IPA server in London and an IPA server in Paris 
> (I haven't yet looked at service discovery.)
> 
> Regards
> Angus
> 
> 
>> On 22 May 2019 at 22:46 Alex Corcoles via FreeIPA-users 
>>  wrote:
>> 
>> 
>> Well, in that scenario site-to-site VPNs should not be too terrible (AWS 
>> provides one, for instance).
>> 
>> I think that certainly having a default install which is "safe" to 
>> expose to the Internet would be a very nice feature. However, I realize 
>> that has its cost and maybe its drawbacks, so of course I'm not sure if 
>> it's the best use of development time for the project.
>> 
>> I can say that it would be one of the top items in my features wishlist 
>> for FreeIPA*, but then again I'm neither a typical, nor paying, nor 
>> particularly smart customer, so I'm just talking here and I don't think 
>> I should be listened much. I think VPNs also have a cost, so not having 
>> to setup them up and maintain them is a huge plus in my book.
>> 
>> Cheers,
>> 
>> Álex
>> 
>> * the other two would be very low effort monitoring (e.g. a built-in 
>> health check URL or command line tool included in the default install) 
>> and low effort full backup/restore + recovery.
>> 
>> On 5/22/19 6:42 PM, Stepan Vardanyan via FreeIPA-users wrote:
>>> See this image to have basic understanding of our infrastructure - 
>>> https://imgur.com/a/R5c8BWW
>>> ___
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives: 
>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: 
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: secure freeipa exposed to internet

[Angus Clarke via FreeIPA-users]

Hello

Best practises say to deploy 2 - 3 IPA server per site (Deployment 
Recommendations) however I've never really understood why. We run 2 IPA servers 
in each of our primary DCs and then connect our smaller remote sites to those 
IPA servers over IPSEC VPNs. For example, IPA clients in a small site in Italy 
connect to an IPA server in London and an IPA server in Paris (I haven't yet 
looked at service discovery.)

Regards
Angus


> On 22 May 2019 at 22:46 Alex Corcoles via FreeIPA-users 
>  wrote:
> 
> 
> Well, in that scenario site-to-site VPNs should not be too terrible (AWS 
> provides one, for instance).
> 
> I think that certainly having a default install which is "safe" to 
> expose to the Internet would be a very nice feature. However, I realize 
> that has its cost and maybe its drawbacks, so of course I'm not sure if 
> it's the best use of development time for the project.
> 
> I can say that it would be one of the top items in my features wishlist 
> for FreeIPA*, but then again I'm neither a typical, nor paying, nor 
> particularly smart customer, so I'm just talking here and I don't think 
> I should be listened much. I think VPNs also have a cost, so not having 
> to setup them up and maintain them is a huge plus in my book.
> 
> Cheers,
> 
> Álex
> 
> * the other two would be very low effort monitoring (e.g. a built-in 
> health check URL or command line tool included in the default install) 
> and low effort full backup/restore + recovery.
> 
> On 5/22/19 6:42 PM, Stepan Vardanyan via FreeIPA-users wrote:
> > See this image to have basic understanding of our infrastructure - 
> > https://imgur.com/a/R5c8BWW
> > ___
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: 
> > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: secure freeipa exposed to internet

[John Keates via FreeIPA-users]

That’s not too bad.

We have a similar setup somewhere, about 39 AWS accounts, some with multiple 
VPCs, three physical locations, one with two separate DCs (the others have one).
For AWS we simply add PCXes where possible with sg source rules, makes it 
pretty secure. For other accounts we run OpenVPN or IPSec site-to-site.
The physical DCs have DirectConnect fiber attachments straight to AWS 
(expensive!) but also fallback IPSec tunnels (relatively cheap).

It’s all automated as well; we build IPA AMIs to auto-deploy IPA everywhere, 
and where we can’t deploy we run OpenVPN AMIs and when we can’t even do that we 
run IPSec.
Those deployments are done using Terraform and Ansible; this means that adding 
a new connection or account or client simply means adding two lines to a YAML 
file and deploying the change.

Doing all of this manually is also possible, but at that point you might ask 
yourself if looking for a better job/employer is less painful ;-)

John

> On 22 May 2019, at 18:42, Stepan Vardanyan via FreeIPA-users 
>  wrote:
> 
> See this image to have basic understanding of our infrastructure - 
> https://imgur.com/a/R5c8BWW
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Mapping freeipa's groups over AD

[Dirk Streubel via FreeIPA-users]

Thanks a lot for this Information Kristian.
I would be a great thing if FreeIPA have this option.

Regard 
Dirk
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org