[Freeipa-users] Re: Proxmox pam authentication
You may want to look at authconfig for doing that in the future, I don't think it will be overridden on update (that was a bug once I believe), but running it for some other reason could alter what you intend to be set up. authconfig maintains a state file in /etc/sysconfig and will set things as it was told to, manual changes are not registered so "mysterious" problems can occur months and years later if one is not careful. On Fri, Sep 8, 2017 at 5:21 AM, Maciej Drobniuch via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hey > > So looking at the logs, sssd did not get any request. > The solution was to add nss and pam into the sssd section of sssd.conf > > [sssd] > services = sudo, ssh, nss, pam > > Thanks Kuba for your help! :) > > M. > > On Fri, Sep 8, 2017 at 10:02 AM, Maciej Drobniuch > wrote: > >> This helps. >> Thank you for the link! >> >> >> M. >> >> On Thu, Sep 7, 2017 at 1:31 PM, Jakub Hrozek via FreeIPA-users < >> freeipa-users@lists.fedorahosted.org> wrote: >> >>> On Thu, Sep 07, 2017 at 11:02:50AM +0200, Maciej Drobniuch via >>> FreeIPA-users wrote: >>> > Hey Freeipa users! >>> > >>> > Proxmox supports pam logins from webui and it is debian based. >>> > >>> > I've used the following guide to install freeipa unofficial packages. >>> > http://clusterfrak.com/sysops/app_installs/freeipa_clients/ >>> > >>> > The ipa client installation went smoothly but... I can not see the >>> users >>> > and login. >>> > >>> > # id freeipauser >>> > id: 'freeipauser': no such user >>> > >>> > Does someone know about a documentation for the detailed >>> troubleshooting >>> > steps that need to be taken to check pam/sssd/related. >>> >>> Start here: >>> https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html >>> ___ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to freeipa-users-le...@lists.fedo >>> rahosted.org >>> >> >> >> >> -- >> Best regards >> >> Maciej Drobniuch >> Network Security Engineer >> Collective-Sense,LLC >> > > > > -- > Best regards > > Maciej Drobniuch > Network Security Engineer > Collective-Sense,LLC > > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Using AWS ELB with 2 FreeIPA servers
You may be over complicating things by using a load balancer, IPA does a fairly good job of balancing things itself, for example the default SSSD config is to have this: ipa_server = _srv_, meaning it will select which host to communicate with via the DNS service records, which are automatically created. You can refine the server selection by setting up locations if desired. This naturally is not perfect but does have the additional advantage of being maintained by IPA. Adding a third server updates everything for you so you don't have to reconfigure a load balancer. In short do away with the load balancer, you shouldn't need it. Bob On Tue, Aug 8, 2017 at 9:06 AM, ridha.zorgui--- via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > I set up a FreeIPA master and replica behind an elastic load balancer in > AWS cloud. FreeIPA Clients will be contacting the replica and the master > sever through the load balancer so the dns name used when configurting the > clients is the ELB CNAME. The problem is when retreiving ldap data and > during the authentication, the SSL handshake fails as the certificate sent > back from the master or replica has a hostname different than the one used > in the sssd ( the ELB CNAME). so the connection is terminated. There is a > workaround which is the use reqcert=allow but this bring a security issue > with a MITM attack. another solution i found is the use SAN. I was able to > add the ELB DNS as a SAN in freeipa servers certificate. i made sure it is > there by downloading the certificate and checking that the elb san exist > but when testing it the same problem remain. Please help. > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: password reset privileges
Assigning roles to your userwill fix that issue. The existing "User Administrator" role may fit your needs, but I am unsure how restrictive you want to be with permissions. If you want to be more restrictive a custom role with "System: Change User password" permissions would seem to be the right way. Make a privilege that contains only that permission (and and other missing permissions down the road) add it to a new role and then assign that role to your user. Bob On Fri, Aug 4, 2017 at 10:12 AM, Tiemen Ruiten via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello, > > I setup an LDAP User Federation in Keycloak to our FreeIPA domain. > Unfortunately, the password reset functionality appears to only work when > the user Keycloak binds as is in the admins group. I tried both the User > Administrator and helpdesk roles, but always got this error: > > Caused by: javax.naming.NoPermissionException: [LDAP: error code 50 - > Insufficient 'write' privilege to the 'userPassword' attribute of entry > 'uid=x,cn=users,cn=accounts,dc=example,dc=com' > > Is there a way to allow password resets without adding the keycloak bind > user to the admins group? > > > -- > Tiemen Ruiten > Systems Engineer > R&D Media > > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: FreeIPA and postfix issue.
> tag=101 > > > nentries=1 etime=0 > > > > It is the err I was looking for. err=0 is good, though there are > others > > that can be acceptable as well depending on context. In this case one > > user was found with the e-mail address. > > > > > it also shows a few extras, I believe I need to tighetn up what > postfix > > > looks for as these are queries related to the sending email > account. > > > > > > [03/Aug/2017:10:18:32.201190867 -0400] conn=96 op=1 SRCH > > > base="cn=users,cn=accounts,dc=domain,dc=org" scope=2 > > > filter="(|(mail= > > from>)(mailAlternateAddress=))" > attrs="uid" > > > [03/Aug/2017:10:18:32.201454459 -0400] conn=96 op=1 RESULT err=0 > tag=101 > > > nentries=0 etime=0 > > > [03/Aug/2017:10:18:32.201883216 -0400] conn=96 op=2 SRCH > > > base="cn=users,cn=accounts,dc=notwise,dc=net" scope=2 > > > filter="(|(mail=@)(mailAlternateAddress=@ > > domain>))" attrs="uid" > > > [03/Aug/2017:10:18:32.202028213 -0400] conn=96 op=2 RESULT err=0 > tag=101 > > > nentries=0 etime=0 > > > > Hard to say without knowing your LDAP db but these could be perfectly > > normal and expected. It is searching the right subtree and the query > > format looks right, that's about all I can say :-) > > > > rob > > > > > > > > Thanks! > > > Bob > > > > > > On Thu, Aug 3, 2017 at 10:06 AM, Rob Crittenden < > rcrit...@redhat.com <mailto:rcrit...@redhat.com> > > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote: > > > > > > Bob Rentschler via FreeIPA-users wrote: > > > > This may be related to the issue discussed here: > > > > https://lists.fedorahosted.org/archives/list/freeipa- > us...@lists.fedorahosted.org/message/SC7GYMHMJ2DNT6BDDSWG5F4HL252EJOD/ > > <https://lists.fedorahosted.org/archives/list/freeipa- > us...@lists.fedorahosted.org/message/SC7GYMHMJ2DNT6BDDSWG5F4HL252EJOD/> > > > <https://lists.fedorahosted.org/archives/list/freeipa- > us...@lists.fedorahosted.org/message/SC7GYMHMJ2DNT6BDDSWG5F4HL252EJOD/ > > <https://lists.fedorahosted.org/archives/list/freeipa- > us...@lists.fedorahosted.org/message/SC7GYMHMJ2DNT6BDDSWG5F4HL252EJOD/>> > > > > <https://lists.fedorahosted.org/archives/list/freeipa- > us...@lists.fedorahosted.org/message/SC7GYMHMJ2DNT6BDDSWG5F4HL252EJOD/ > > <https://lists.fedorahosted.org/archives/list/freeipa- > us...@lists.fedorahosted.org/message/SC7GYMHMJ2DNT6BDDSWG5F4HL252EJOD/> > > > <https://lists.fedorahosted.org/archives/list/freeipa- > us...@lists.fedorahosted.org/message/SC7GYMHMJ2DNT6BDDSWG5F4HL252EJOD/ > > <https://lists.fedorahosted.org/archives/list/freeipa- > us...@lists.fedorahosted.org/message/SC7GYMHMJ2DNT6BDDSWG5F4HL252EJOD/>>> > > > > > > > > But it seems not to be, layer 8 is still open though. > > > > > > > > Using the instructions here > > > > https://www.dalemacartney.com/2013/03/14/deploying-postfix- > with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/ > > <https://www.dalemacartney.com/2013/03/14/deploying- > postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/> > > > <https://www.dalemacartney.com/2013/03/14/deploying- > postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/ > > <https://www.dalemacartney.com/2013/03/14/deploying- > postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/>> > > > > to enable postfix virtual users from freeIPA I seem to have > hit a > > > > sticking point in that postfix is unable to fetch the mail > attribute. > > > > > > > > this is the query filter I modified as per the referenced > email in the > > > > archive. > > > > > > > > query_filter = (&(objectclass=posixaccount)(mail=%s)) > > > > > > > > When run from postmap it gets nothing. If I change it for > testing to > > > > search by uid or another attribute it works as expected. a > simple filter > > > > like (uid=%s) works everytime. > > > > > > > > This ldapsearch run using the postfix servers keytab as > credentials > > > > works as well: > > > > > > > > ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc= > example,dc=org > > > > '(&(objectclass=posixaccount)(|(mail=validu...@example.org > <mailto:validu...@example.org> > > <mailto:validu...@example.org <mailto:validu...@example.org>> > > > > <mailto:validu...@example.org <mailto:validu...@example.org> > > <mailto:validu...@example.org <mailto:validu...@example.org>>>)))' > > > > > > > > The FreeIPA version is 4.4.4 running on Fedora 26 > > > > > > > > Is there something I may be overlooking here? I dove off > > into IPA v4 > > > > permissions and everything *seems* ok, but it is my chief > > suspect right now. > > > > > > When postmap gets nothing, is the LDAP query correct? What is > > the LDAP > > > error code? > > > > > > The query you ran doesn't match the query_filter you posted. I > > mention > > > it in case this wasn't just a typo in the e-mail. > > > > > > rob > > > > > > > > > > > > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: FreeIPA and postfix issue.
It seems the postfix problem was of my creation, I reset the postfix config file to a copy of the default, re-did everything a step at a time and it all worked. Who knows what I had in there screwing it up, I still can't find it when I compare them. To sum it up under ipa v4 you need to in one way or another make sure the mail attributes(s) can be read. Perhaps this is a candidate for a new default permission/privilege/role for services feature request? Bob On Thu, Aug 3, 2017 at 10:42 AM, Rob Crittenden wrote: > Bob Rentschler wrote: > > The query mismatch was a typo/mispaste, sorry about that. > > > > It was indeed at least partly permissions in the LDAP server, likely > > because a service is running the query. > > > > I solved the freeipa permissions with the below command, which is likely > > bad in some way but did allow postmap to return the > > desired attributes: > > > > ipa permission-mod "System: Read User Standard Attributes" > > --includedattrs=mail --includedattrs=mailAlternateAddress > > > > The attributes have been changed today, I am > > using (|(mail=%s)(mailAlternateAddress=%s)) now that the simple > > (mail-%s) works. > > > > Is there a better or more proper way? That one seems to allow anonymous > > enumeration of email accounts, which isn't a huge > > problem for me, but I could see cases where it would be. It also seems a > > waste to set up gssapi and TLS then weaken the LDAP > > ACI's. > > You could use "System: Read User Addressbook Attributes" instead which > requires an authenticated user. > > > > > When I looked in the access log of the LDAP server I saw no error codes > > as such, was /var/log/dirsrv/slapd-/access the wrong file to > > look in. > > That's right but LDAP errors can be subtle. > > > The remaining issue is posmap returns results just fine, but postfix > > itself somehow fails to read the ldap alias map. I'll beat my > > head on that for a few hours now. > > > > For the interested the relevant section of main.cf <http://main.cf> is > > > > virtual_alias_domains = domain.org <http://domain.org> > > virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf > > <http://ldap_aliases.cf> > > > > All of the TLS functions are working properly, the directory server > > shows this when postfix connects: > > > > > > [03/Aug/2017:10:18:31.380423718 -0400] conn=95 op=0 SRCH > > base="cn=users,cn=accounts,dc=domain,dc=ord" scope=2 > > filter="(|(mail=existing_u...@domain.org > > <mailto:existing_u...@domain.org>)(mailAlternateAddress=exi > sting_u...@domain.org > > <mailto:existing_u...@domain.org>))" attrs="uid" > > [03/Aug/2017:10:18:31.381151196 -0400] conn=95 op=0 RESULT err=0 tag=101 > > nentries=1 etime=0 > > It is the err I was looking for. err=0 is good, though there are others > that can be acceptable as well depending on context. In this case one > user was found with the e-mail address. > > > it also shows a few extras, I believe I need to tighetn up what postfix > > looks for as these are queries related to the sending email account. > > > > [03/Aug/2017:10:18:32.201190867 -0400] conn=96 op=1 SRCH > > base="cn=users,cn=accounts,dc=domain,dc=org" scope=2 > > filter="(|(mail= > from>)(mailAlternateAddress=))" > attrs="uid" > > [03/Aug/2017:10:18:32.201454459 -0400] conn=96 op=1 RESULT err=0 tag=101 > > nentries=0 etime=0 > > [03/Aug/2017:10:18:32.201883216 -0400] conn=96 op=2 SRCH > > base="cn=users,cn=accounts,dc=notwise,dc=net" scope=2 > > filter="(|(mail=@)(mailAlternateAddress=@ > domain>))" attrs="uid" > > [03/Aug/2017:10:18:32.202028213 -0400] conn=96 op=2 RESULT err=0 tag=101 > > nentries=0 etime=0 > > Hard to say without knowing your LDAP db but these could be perfectly > normal and expected. It is searching the right subtree and the query > format looks right, that's about all I can say :-) > > rob > > > > > Thanks! > > Bob > > > > On Thu, Aug 3, 2017 at 10:06 AM, Rob Crittenden > <mailto:rcrit...@redhat.com>> wrote: > > > > Bob Rentschler via FreeIPA-users wrote: > > > This may be related to the issue discussed here: > > > https://lists.fedorahosted.org/archives/list/freeipa- > us...@lists.fedorahosted.org/message/SC7GYMHMJ2DNT6BDDSWG5F4HL252EJOD/ > > <https://lists.fedorahosted.org/archives/list/freeipa- > us...@lists.fedorahosted.org/message/SC7GYMHMJ2D
[Freeipa-users] Re: FreeIPA and postfix issue.
The query mismatch was a typo/mispaste, sorry about that. It was indeed at least partly permissions in the LDAP server, likely because a service is running the query. I solved the freeipa permissions with the below command, which is likely bad in some way but did allow postmap to return the desired attributes: ipa permission-mod "System: Read User Standard Attributes" --includedattrs=mail --includedattrs=mailAlternateAddress The attributes have been changed today, I am using (|(mail=%s)(mailAlternateAddress=%s)) now that the simple (mail-%s) works. Is there a better or more proper way? That one seems to allow anonymous enumeration of email accounts, which isn't a huge problem for me, but I could see cases where it would be. It also seems a waste to set up gssapi and TLS then weaken the LDAP ACI's. When I looked in the access log of the LDAP server I saw no error codes as such, was /var/log/dirsrv/slapd-/access the wrong file to look in. The remaining issue is posmap returns results just fine, but postfix itself somehow fails to read the ldap alias map. I'll beat my head on that for a few hours now. For the interested the relevant section of main.cf is virtual_alias_domains = domain.org virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf All of the TLS functions are working properly, the directory server shows this when postfix connects: [03/Aug/2017:10:18:31.380423718 -0400] conn=95 op=0 SRCH base="cn=users,cn=accounts,dc=domain,dc=ord" scope=2 filter="(|(mail= existing_u...@domain.org)(mailAlternateAddress=existing_u...@domain.org))" attrs="uid" [03/Aug/2017:10:18:31.381151196 -0400] conn=95 op=0 RESULT err=0 tag=101 nentries=1 etime=0 it also shows a few extras, I believe I need to tighetn up what postfix looks for as these are queries related to the sending email account. [03/Aug/2017:10:18:32.201190867 -0400] conn=96 op=1 SRCH base="cn=users,cn=accounts,dc=domain,dc=org" scope=2 filter="(|(mail=)(mailAlternateAddress=))" attrs="uid" [03/Aug/2017:10:18:32.201454459 -0400] conn=96 op=1 RESULT err=0 tag=101 nentries=0 etime=0 [03/Aug/2017:10:18:32.201883216 -0400] conn=96 op=2 SRCH base="cn=users,cn=accounts,dc=notwise,dc=net" scope=2 filter="(|(mail=@)(mailAlternateAddress=@))" attrs="uid" [03/Aug/2017:10:18:32.202028213 -0400] conn=96 op=2 RESULT err=0 tag=101 nentries=0 etime=0 Thanks! Bob On Thu, Aug 3, 2017 at 10:06 AM, Rob Crittenden wrote: > Bob Rentschler via FreeIPA-users wrote: > > This may be related to the issue discussed here: > > https://lists.fedorahosted.org/archives/list/freeipa- > us...@lists.fedorahosted.org/message/SC7GYMHMJ2DNT6BDDSWG5F4HL252EJOD/ > > <https://lists.fedorahosted.org/archives/list/freeipa- > us...@lists.fedorahosted.org/message/SC7GYMHMJ2DNT6BDDSWG5F4HL252EJOD/> > > > > But it seems not to be, layer 8 is still open though. > > > > Using the instructions here > > https://www.dalemacartney.com/2013/03/14/deploying-postfix- > with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/ > > to enable postfix virtual users from freeIPA I seem to have hit a > > sticking point in that postfix is unable to fetch the mail attribute. > > > > this is the query filter I modified as per the referenced email in the > > archive. > > > > query_filter = (&(objectclass=posixaccount)(mail=%s)) > > > > When run from postmap it gets nothing. If I change it for testing to > > search by uid or another attribute it works as expected. a simple filter > > like (uid=%s) works everytime. > > > > This ldapsearch run using the postfix servers keytab as credentials > > works as well: > > > > ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=org > > '(&(objectclass=posixaccount)(|(mail=validu...@example.org > > <mailto:validu...@example.org>)))' > > > > The FreeIPA version is 4.4.4 running on Fedora 26 > > > > Is there something I may be overlooking here? I dove off into IPA v4 > > permissions and everything *seems* ok, but it is my chief suspect right > now. > > When postmap gets nothing, is the LDAP query correct? What is the LDAP > error code? > > The query you ran doesn't match the query_filter you posted. I mention > it in case this wasn't just a typo in the e-mail. > > rob > > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] FreeIPA and postfix issue.
This may be related to the issue discussed here: https://lists.fedorahosted.org/archives/list/freeipa- us...@lists.fedorahosted.org/message/SC7GYMHMJ2DNT6BDDSWG5F4HL252EJOD/ But it seems not to be, layer 8 is still open though. Using the instructions here https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/ to enable postfix virtual users from freeIPA I seem to have hit a sticking point in that postfix is unable to fetch the mail attribute. this is the query filter I modified as per the referenced email in the archive. query_filter = (&(objectclass=posixaccount)(mail=%s)) When run from postmap it gets nothing. If I change it for testing to search by uid or another attribute it works as expected. a simple filter like (uid=%s) works everytime. This ldapsearch run using the postfix servers keytab as credentials works as well: ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=org '(&(objectclass=posixaccount)(|(mail=validu...@example.org)))' The FreeIPA version is 4.4.4 running on Fedora 26 Is there something I may be overlooking here? I dove off into IPA v4 permissions and everything *seems* ok, but it is my chief suspect right now. Thanks! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
