[Freeipa-users] howto: mediawiki + IPA

2012-06-08 Thread Natxo Asenjo 
hi,

This is work in progress but maybe useful for someone.

http://test.asenjo.nl/index.php/Mediawiki_ipa

(feel free to use it for the freeipa.org wiki, I consider it public domain).
--
Groeten,
natxo
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] howto: mediawiki + IPA

2012-06-08 Thread Ondrej Hamada 

On 06/08/2012 10:16 AM, Natxo Asenjo wrote:

hi,

This is work in progress but maybe useful for someone.

http://test.asenjo.nl/index.php/Mediawiki_ipa

(feel free to use it for the freeipa.org  wiki, I 
consider it public domain).

Hi Natxo,
good job! Thank you very much for the tutorial.

We have one tutorial for MediaWiki 
(http://freeipa.org/page/Setting_up_MediaWiki_to_run_against_FreeIPA), 
but different MediaWiki extension was used there. The usage of LDAP 
extension seems to be more elegant. I'm going to merge both tutorials, 
so that potential users will be offered more options.


If you create another tutorials, please share them with us. It will be 
highly welcomed.


--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] howto: mediawiki + IPA

2012-06-08 Thread Natxo Asenjo 
On Fri, Jun 8, 2012 at 12:37 PM, Ondrej Hamada  wrote:

>  On 06/08/2012 10:16 AM, Natxo Asenjo wrote:
>
> hi,
>
> This is work in progress but maybe useful for someone.
>
> http://test.asenjo.nl/index.php/Mediawiki_ipa
>
> (feel free to use it for the freeipa.org wiki, I consider it public
> domain).
>
> Hi Natxo,
> good job! Thank you very much for the tutorial.
>
> We have one tutorial for MediaWiki (
> http://freeipa.org/page/Setting_up_MediaWiki_to_run_against_FreeIPA), but
> different MediaWiki extension was used there. The usage of LDAP extension
> seems to be more elegant. I'm going to merge both tutorials, so that
> potential users will be offered more options.
>
> :0 I totally missed that tutorial. It's great if you can use some bits of
mine to improve the whole.


> If you create another tutorials, please share them with us. It will be
> highly welcomed.
>

will most certainly do.


-- 
groet,
natxo
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] HBAC rule refreshes and read-only slaves

2012-06-08 Thread Dmitri Pal 
On 06/07/2012 09:22 PM, Cam McK wrote:
> Hello
>
>
> 2). We would also like to use FreeIPA in a trusted network but then
> have perhaps a read-only slave sitting in DMZ with the possibility of
> not containing the KDC or LDAP password stores on it, is this possible?
>  (Basically authentication being done by a different PAM module, but
> pam_sss.so still allowing HBAC via the PAM 'account' directive.)
> Is it possible to have a 'regular' LDAP directory (in the DMZ) just
> slurping down the required LDAP info?
>
I suggest using an LDAP directory that can do proxy operations or proxy
authentications. You might consider 389 and sync in some user accounts
and groups while using pam passtrough capabilities. I think recent
upstream versions of 389 made this configuration possible but you need
to check with them. #389 on freenode is your best bet. 
Openldap has some capabilities that might be of the value here too.

I am not quite sure what you are trying to accomplish here so a bit more
details would be helpful.


> Many Thanks
> Campbell
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] HBAC rule refreshes and read-only slaves

2012-06-08 Thread Nathan Kinder 

On 06/08/2012 07:26 AM, Dmitri Pal wrote:

On 06/07/2012 09:22 PM, Cam McK wrote:

Hello


2). We would also like to use FreeIPA in a trusted network but then 
have perhaps a read-only slave sitting in DMZ with the possibility of 
not containing the KDC or LDAP password stores on it, is this possible?
 (Basically authentication being done by a different PAM module, but 
pam_sss.so still allowing HBAC via the PAM 'account' directive.)
Is it possible to have a 'regular' LDAP directory (in the DMZ) just 
slurping down the required LDAP info?


I suggest using an LDAP directory that can do proxy operations or 
proxy authentications. You might consider 389 and sync in some user 
accounts and groups while using pam passtrough capabilities. I think 
recent upstream versions of 389 made this configuration possible but 
you need to check with them. #389 on freenode is your best bet.

Openldap has some capabilities that might be of the value here too.
389 can consult PAM to authenticate a user when performing an LDAP BIND 
operation.  This would probably take care of the authentication piece of 
the puzzle.


You would also need to use fractional replication to avoid replicating 
things like passwords or Kerberos related attributes to the DMZ LDAP 
server.  Fractional replication can only trim out specific attributes.  
It does not allow you to select portions of the tree to replicate at the 
entry level.  This would mean that all of your user accounts would need 
to be replicated out to the DMZ LDAP server, but you could trim 
sensitive attributes.


I am not quite sure what you are trying to accomplish here so a bit 
more details would be helpful.
More details would definitely help.  I don't think you can easily 
accomplish what you want right now.  It could be possible with a lot of 
manual configuration of 389 on both the IPA and DMZ LDAP server sides, 
but I don't think anyone has set things up in this way with IPA before.


-NGK




Many Thanks
Campbell


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] HBAC rule refreshes and read-only slaves

2012-06-08 Thread Dmitri Pal 
On 06/08/2012 11:00 AM, Nathan Kinder wrote:
> On 06/08/2012 07:26 AM, Dmitri Pal wrote:
>> On 06/07/2012 09:22 PM, Cam McK wrote:
>>> Hello
>>>
>>>
>>> 2). We would also like to use FreeIPA in a trusted network but then
>>> have perhaps a read-only slave sitting in DMZ with the possibility
>>> of not containing the KDC or LDAP password stores on it, is this
>>> possible?
>>>  (Basically authentication being done by a different PAM module, but
>>> pam_sss.so still allowing HBAC via the PAM 'account' directive.)
>>> Is it possible to have a 'regular' LDAP directory (in the DMZ) just
>>> slurping down the required LDAP info?
>>>
>> I suggest using an LDAP directory that can do proxy operations or
>> proxy authentications. You might consider 389 and sync in some user
>> accounts and groups while using pam passtrough capabilities. I think
>> recent upstream versions of 389 made this configuration possible but
>> you need to check with them. #389 on freenode is your best bet. 
>> Openldap has some capabilities that might be of the value here too.
> 389 can consult PAM to authenticate a user when performing an LDAP
> BIND operation.  This would probably take care of the authentication
> piece of the puzzle.
>
> You would also need to use fractional replication to avoid replicating
> things like passwords or Kerberos related attributes to the DMZ LDAP
> server.  Fractional replication can only trim out specific
> attributes.  It does not allow you to select portions of the tree to
> replicate at the entry level.  This would mean that all of your user
> accounts would need to be replicated out to the DMZ LDAP server, but
> you could trim sensitive attributes.
>>
>> I am not quite sure what you are trying to accomplish here so a bit
>> more details would be helpful.
> More details would definitely help.  I don't think you can easily
> accomplish what you want right now.  It could be possible with a lot
> of manual configuration of 389 on both the IPA and DMZ LDAP server
> sides, but I don't think anyone has set things up in this way with IPA
> before.
>

Yes, but you are definitely welcome to give it a try. We had in mind
that such request would emerge one day and would like to hear from you
about your progress.

> -NGK
>>
>>
>>> Many Thanks
>>> Campbell
>>>
>>>
>>> ___
>>> Freeipa-users mailing list
>>> Freeipa-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>> -- 
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IPA project,
>> Red Hat Inc.
>>
>>
>> ---
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/
>>
>>
>>
>>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] running ipa-server-install --uninstall hangs

2012-06-08 Thread Rob Crittenden 

Steven Jones wrote:

Hi,

The replica server no long exists, I bare metal kick-started it...so I need to 
get it to rejoin the domain which it wont.

Given all the other issues Im wondering if a totally clean start isnt a plan 
now...


You can leave the DNS entries. The others you'll need to use ldapmodify 
to remove the entry from defaultServerList and ldapdelete to remove the 
entries from cn=masters.


rob



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rob Crittenden [rcrit...@redhat.com]
Sent: Friday, 8 June 2012 3:02 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] running ipa-server-install --uninstall hangs

Steven Jones wrote:

Hi,

Im must not be getting it,

If I am un-installing and the dirsrv has been stopped as part of that process? 
why does it need to restart?  if Im uninstalling?


Because it needs to stop all the IPA services. The list of services is
stored in LDAP.


If I run a host del shouldnt that remove all residual info for the ex-replica 
in the db?


No. It does not remove DNS records or replication agreements.


Alternatively how do I clean up so I can get the replica to rejoin the domain?


Your best bet is to figure out why the dirsrv instance won't start.

Trying to remove and restore everything manually can be a lot of work.
Figuring out why dirsrv won't start is likely the path of least resistence.

rob


From: Rob Crittenden [rcrit...@redhat.com]
Sent: Friday, 8 June 2012 10:04 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] running ipa-server-install --uninstall hangs

It is hanging because the dirsrv instance isn't starting. Check for
AVCs, /var/log/messages, dmesg,
/var/log/dirsrv/slapd-YOURINSTANCE/errors to see if any errors are being
reported.

Steven Jones wrote:

NB ipam005 is the renamed ipam002, which despite trying to remove seems to have 
residual info in the ldif output eg.,

==
[root@vuwunicoipam005 slapd-ODS-VUW-AC-NZ]# grep ipam002 userroot.ldif
defaultServerList: vuwunicoipam001.ods.vuw.ac.nz vuwunicoipam002.ods.vuw.ac.nz
dn: cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc=vuw,dc
cn: vuwunicoipam002.ods.vuw.ac.nz
dn: cn=KDC,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc
dn: cn=KPASSWD,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=od
dn: cn=HTTP,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,d
dn: cn=DNS,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc
dn: dnaHostname=vuwunicoipam002.ods.vuw.ac.nz+dnaPortNum=389,cn=posix-ids,cn=d
dnahostname: vuwunicoipam002.ods.vuw.ac.nz
nSRecord: vuwunicoipam002.ods.vuw.ac.nz.
pTRRecord: vuwunicoipam002.ods.vuw.ac.nz.


The server wasn't uninstalled, right? Why wouldn't these still be there.

rob


[root@vuwunicoipam005 slapd-ODS-VUW-AC-NZ]#
==

I expected a zero return?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Friday, 8 June 2012 8:47 a.m.
Cc: freeipa-users@redhat.com
Subject: [Freeipa-users] running ipa-server-install --uninstall hangs

Hi,

I am trying to fix an ongoing problem with IPA and find that I cannot remove a 
replica from the domain...

Screenshot attached...

I also find that running a host del doesnt work and there is residual info in 
an ldif output of that replica...this then stops a bare metal rebuild of the 
replica being rejoined to the domain.  If I change the name and IP however it 
can be a replica

ideas please?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users