[Freeipa-users] Automated Kickstart Enrollment
Hi folks, I've got a question about kickstart enrollment with a one-time password. Namely, is there any way that it can be done *without* the one-time password. We're comfortable with the pre-creation of the host in IPA, but just wonder if there's a way to enrol without the one-time password. The estate is Red Hat (mostly 6) and we deploy systems via kickstart from the Satellite. Can the Satellite push out a certificate from the IPA system that would allow client to enrol without the OTP? Our enrollment script runs as part of the kickstart postinstall with the OTP effectively sitting in plain text in the script. Removing the OTP would remove the plain text authentication from this script, but I may be opening other security holes as a result. Cheers Duncan Innes This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Discovery House, Whiting Road, Norwich NR4 6EJ: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] free radiuse
On 09/03/2013 12:51 AM, Jason Prouty wrote: I have IPA-server installed and working for my linux servers I have several cisco Routers 2821 and juniper FW that I would like to authenticate against IPA. I have a free radius .schema file. First you have to tell us what authentication protocols these devices support. Then we can tell you the best approach. FWIW adding radius schema to freeipa LDAP is *not* likely to be a viable option because many of the radius schema elements conflict with how IPA manages things. You're better off using the IPA schema and configuring FreeRADIUS to use it. -- John ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [Freeipa-devel] [SSSD] FreeIPA on Debian
On 09/03/2013 01:50 PM, Timo Aaltonen wrote: On 03.09.2013 23:30, Nathan Kinder wrote: On 09/01/2013 01:35 PM, Timo Aaltonen wrote: On 01.09.2013 21:43, Dmitri Pal wrote: On 09/01/2013 02:20 PM, Timo Aaltonen wrote: On 31.08.2013 00:04, Dmitri Pal wrote: Hello, Sorry for cross posting to 4 different lists but it seems that this is the best way to include most of people who might be interested in this discussion. The question of When FreeIPA will be available on Debian? has been coming up periodically on the list(s) without any resolution. However it is clear that it would be beneficial for the community and the project. Hi, As you know, I've been packaging stuff for the past two years with the goal of eventually having FreeIPA server on Debian/Ubuntu. A lot has been accomplished, but quite a bit is still missing too.. May be it is time to try again? Let us see why it yet has not happened? 1) Some components need to be ported to Debian especially Dogtag and a slew of its new RESTEasy dependencies. This requires time and quite an effort from someone familiar with the domain. Yes, this is the biggest blocker. Dogtag 9 is packaged in git and working, but I'm not going to push that to the distro. It can be used for testing the IPA server though, before we have Dogtag 10. Once the prereqs are in place the Dogtag git should be easy to rebase with 10.x. I did start packaging some of the dependencies, but hit a wall when some maven component needed a different release than another one.. AIUI this is a known issue with maven based projects.. I would like to organize the effort to get Dogtag 10 ported to Debian. I know that there are a lot of dependencies needed for this to happen. I can create and maintain a wiki page to track all of the work that is needed to get this porting done. Do you have a list of Dogtag 10 dependencies that are not currently packaged for Debian that I can use as a starting point? Once we have a clear outline of what is needed, we can start trying to divide up and schedule the work. Alright, nice! This is the list I sent to debian-java a year ago, roughly in dependency order: Great, this will help me get started. It might be a bit out of date, as I know that we worked on reducing the number of dependencies within the last year. I'll start with this and cross-reference with the current dependencies. codehaus-parent keytool-maven-plugin maven-help-plugin maven-idea-plugin maven-jarsigner-plugin maven-jxr maven-source-plugin geronimo-parent-poms geronimo-annotation plexus-mail-sender maven-release plexus-resources maven-checkstyle-plugin maven-pmd-plugin maven-anno-plugin maven-reporting-api maven-changes-plugin maven-deploy-plugin apache-james-project javamail base64coder gdata-java sonatype-oss-parent forge-parent mojo-parent maven-plugin-build-helper relaxngcc xsom glassfish-fastinfoset jvnet-parent glassfish-jaxb-api glassfish-dtd-parser stax-ex istack-commons rngom glassfish-jaxb maven-jaxb2-plugin jboss-parent jandex jboss-specs-parent jboss-annotations jetty-parent jetty-toolchain jetty-version-maven-plugin scannotation snakeyml resteasy There might be errors, now that I know that the fedora package of resteasy doesn't built everything to make the deps a bit easier? Yes, resteasy was trimmed to make things easier. And at least codehaus-parent, mojo-parent and jetty-parent are packaged and pushed to git.debian.org but since I'm not a DD (yet) I can't upload them. The debian java policy means that the actual package names are like 'libmojo-parent-java' etc., in case you try to find a package. Do you have more details on the maven issue you were running up against? if my notes are to be trusted, it was that keytool-maven-plugin wants v16 of mojo-parent, and not v30 that is in git now.. Ok, I'll note it down and we can figure out the details when we try it again. Thanks, -NGK ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [Freeipa-devel] [SSSD] FreeIPA on Debian
Jumping in here, if someone is organizing a TODO list to get freeipa on debian, feel free to add porting/testing puppet-ipa to this. I'm the puppet-ipa [1] guy. I'm happy to work on that part whenever someone has a working debian freeipa install for me to use. Once it works or at least mostly, feel free to ping me somehow. HTH, James [1] https://github.com/purpleidea/puppet-ipa ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [Freeipa-devel] [SSSD] FreeIPA on Debian
On 03.09.2013 23:30, Nathan Kinder wrote: On 09/01/2013 01:35 PM, Timo Aaltonen wrote: On 01.09.2013 21:43, Dmitri Pal wrote: On 09/01/2013 02:20 PM, Timo Aaltonen wrote: On 31.08.2013 00:04, Dmitri Pal wrote: Hello, Sorry for cross posting to 4 different lists but it seems that this is the best way to include most of people who might be interested in this discussion. The question of When FreeIPA will be available on Debian? has been coming up periodically on the list(s) without any resolution. However it is clear that it would be beneficial for the community and the project. Hi, As you know, I've been packaging stuff for the past two years with the goal of eventually having FreeIPA server on Debian/Ubuntu. A lot has been accomplished, but quite a bit is still missing too.. May be it is time to try again? Let us see why it yet has not happened? 1) Some components need to be ported to Debian especially Dogtag and a slew of its new RESTEasy dependencies. This requires time and quite an effort from someone familiar with the domain. Yes, this is the biggest blocker. Dogtag 9 is packaged in git and working, but I'm not going to push that to the distro. It can be used for testing the IPA server though, before we have Dogtag 10. Once the prereqs are in place the Dogtag git should be easy to rebase with 10.x. I did start packaging some of the dependencies, but hit a wall when some maven component needed a different release than another one.. AIUI this is a known issue with maven based projects.. I would like to organize the effort to get Dogtag 10 ported to Debian. I know that there are a lot of dependencies needed for this to happen. I can create and maintain a wiki page to track all of the work that is needed to get this porting done. Do you have a list of Dogtag 10 dependencies that are not currently packaged for Debian that I can use as a starting point? Once we have a clear outline of what is needed, we can start trying to divide up and schedule the work. Alright, nice! This is the list I sent to debian-java a year ago, roughly in dependency order: codehaus-parent keytool-maven-plugin maven-help-plugin maven-idea-plugin maven-jarsigner-plugin maven-jxr maven-source-plugin geronimo-parent-poms geronimo-annotation plexus-mail-sender maven-release plexus-resources maven-checkstyle-plugin maven-pmd-plugin maven-anno-plugin maven-reporting-api maven-changes-plugin maven-deploy-plugin apache-james-project javamail base64coder gdata-java sonatype-oss-parent forge-parent mojo-parent maven-plugin-build-helper relaxngcc xsom glassfish-fastinfoset jvnet-parent glassfish-jaxb-api glassfish-dtd-parser stax-ex istack-commons rngom glassfish-jaxb maven-jaxb2-plugin jboss-parent jandex jboss-specs-parent jboss-annotations jetty-parent jetty-toolchain jetty-version-maven-plugin scannotation snakeyml resteasy There might be errors, now that I know that the fedora package of resteasy doesn't built everything to make the deps a bit easier? And at least codehaus-parent, mojo-parent and jetty-parent are packaged and pushed to git.debian.org but since I'm not a DD (yet) I can't upload them. The debian java policy means that the actual package names are like 'libmojo-parent-java' etc., in case you try to find a package. Do you have more details on the maven issue you were running up against? if my notes are to be trusted, it was that keytool-maven-plugin wants v16 of mojo-parent, and not v30 that is in git now.. -- t ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users