[Freeipa-users] can ipa-client-install be updated to call username/password from a file?
Hi, I am using freeipa in a rhel6 environment with ipa-3.0.0-37.el6 client. I am working on doing an unattended ipa client installation. I have it working with the following /usr/sbin/ipa-client-install -p admin -w admin_password -U --no-ntp While this works, while it runs, the admin_password value is visable in the output of a ps -ef command on the host when installing the ipa client. # ps -ef |grep ipa root 30284 30283 43 03:31 ?00:00:01 /usr/bin/python -E /usr/sbin/ipa-client-install -p admin -w plain_text_password -U --no-ntp This represents a challenge to security, even though its only minor (as in its only there for a minute or so), but its still there and it is the admin password. Can ipa-client-install be updated to include a parameter to retrieve the admin password from a file? i.e. /usr/bin/python -E /usr/sbin/ipa-client-install -p admin -from-file /tmp/credentials -U --no-ntp That would then protect the admin password. I am not familiar with python coding. Thanks in advance, Les -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] can ipa-client-install be updated to call username/password from a file?
On 10/01/2014 10:19 AM, Les Stott wrote: Hi, I am using freeipa in a rhel6 environment with ipa-3.0.0-37.el6 client. I am working on doing an unattended ipa client installation. I have it working with the following…. /usr/sbin/ipa-client-install -p admin -w admin_password -U --no-ntp While this works, while it runs, the admin_password value is visable in the output of a ps –ef command on the host when installing the ipa client. # ps -ef |grep ipa root 30284 30283 43 03:31 ? 00:00:01 /usr/bin/python -E /usr/sbin/ipa-client-install -p admin -w plain_text_password -U --no-ntp This represents a challenge to security, even though its only minor (as in its only there for a minute or so), but its still there and it is the admin password. Can ipa-client-install be updated to include a parameter to retrieve the admin password from a file? i.e. Try it with '-W pwfile'. t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] can ipa-client-install be updated to call username/password from a file?
On 01/10/14 08:19, Les Stott wrote: Hi, I am using freeipa in a rhel6 environment with ipa-3.0.0-37.el6 client. I am working on doing an unattended ipa client installation. I have it working with the following…. /usr/sbin/ipa-client-install -p admin -w admin_password -U --no-ntp While this works, while it runs, the admin_password value is visable in the output of a ps –ef command on the host when installing the ipa client. # ps -ef |grep ipa root 30284 30283 43 03:31 ?00:00:01 /usr/bin/python -E /usr/sbin/ipa-client-install -p admin -w plain_text_password -U --no-ntp This represents a challenge to security, even though its only minor (as in its only there for a minute or so), but its still there and it is the admin password. Can ipa-client-install be updated to include a parameter to retrieve the admin password from a file? i.e. /usr/bin/python -E /usr/sbin/ipa-client-install -p admin –from-file /tmp/credentials -U --no-ntp That would then protect the admin password. I am not familiar with python coding. Thanks in advance, Les Hi Les, in addition to the answers you have already received, you can create a user with the 'host enrollment' permission only, so even if the credentials are compromised the damage is minimized. I am using this on 4.0.3 but looking at an older installation the same seems available in 3.0 too. Best Regards Yiorgos -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] freeipa 4.0.3 on RHEL/Centos7 calls fedora-domainname.service instead of rhel-domainname.service
Hi Martin, not sure where to file a bug report as this is in limbo between Fedora RHEL, so here it is: enrolling a 4.0.3 RHEL/Centos7 server fails with: Configuring example.com as NIS domain. Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 2790, in module sys.exit(main()) File /usr/sbin/ipa-client-install, line 2771, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 2735, in install configure_nisdomain(options=options, domain=cli_domain) File /usr/sbin/ipa-client-install, line 1391, in configure_nisdomain services.knownservices.domainname.restart() File /usr/lib/python2.7/site-packages/ipaplatform/base/services.py, line 270, in restart capture_output=capture_output) File /usr/lib/python2.7/site-packages/ipapython/ipautil.py, line 346, in run raise CalledProcessError(p.returncode, arg_string, stdout) subprocess.CalledProcessError: Command ''/bin/systemctl' 'restart' 'fedora-domainname.service'' returned non-zero exit status 6 substituting fedora-domainname.service with rhel-domainname.service in /usr/lib/python2.7/site-packages/ipaplatform/fedora/services.py and /usr/lib/python2.7/site-packages/ipaplatform/services.py allows the installation to proceed. Cheers, Yiorgos -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa 4.0.3 on RHEL/Centos7 calls fedora-domainname.service instead of rhel-domainname.service
On 01/10/14 13:16, Martin Kosek wrote: Hello Yiorgos, Yes, this is a known issue that the upstream FreeIPA Copr build for CentOS/RHEL 7.0 has. We track it in this ticket: https://fedorahosted.org/freeipa/ticket/4562 We would like to fix it within October. If you will be able to help with patches or testing, we would of course welcome it! HTH, Martin Hi Martin, Thank you for your reply and pointer. Yes, I would like to contribute to the best of my {avail,}ability. I am interested in making v4 work in EL7 as I am working towards deploying FreeIPA the coming months and I would like to avoid starting with a version that is about to be superseded or doing it on Fedora for a production environment. Best Regards, Yiorgos -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] error trying to re-setup ipa replica
Hi, This is what I have. ipa01 - master ipa02 - replica ipa03 - replica ipa02 crashed, and re-setup I used the gpg file from master and trying to re-create the replica: ipa-replica-install ipa02.gpg gives: The host ipa02.local.zone already exists on the master server. You should remove it before proceeding: % ipa host-del ipa02.local.zone I login to the master server and if I do ipa-replica-manage list , it shows: ipa02.local.zone: master Trying to delete it with ipa host-del ipa02.local.zone fails saying: ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled ipa-replica-manage del ipa02.local.zone fails saying: 'ipa01.local.zone' has no replication agreement for 'ipa02.local.zone' I searched the mailing list and it was suggested that I should do a ldapsearch and ldapdelete. here is the search: ldapsearch -LLL -x -b cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=dc01 dn: cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=dc01 objectClass: top objectClass: nsContainer cn: ipa02.local.zone dn: cn=KDC,cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=dc01 objectClass: nsContainer objectClass: ipaConfigObject objectClass: top ipaConfigString: enabledService ipaConfigString: startOrder 10 cn: KDC dn: cn=KPASSWD,cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=sp il objectClass: nsContainer objectClass: ipaConfigObject objectClass: top ipaConfigString: enabledService ipaConfigString: startOrder 20 cn: KPASSWD dn: cn=MEMCACHE,cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=s pil objectClass: nsContainer objectClass: ipaConfigObject objectClass: top ipaConfigString: enabledService ipaConfigString: startOrder 39 cn: MEMCACHE dn: cn=HTTP,cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=dc01 objectClass: nsContainer objectClass: ipaConfigObject objectClass: top ipaConfigString: enabledService ipaConfigString: startOrder 40 cn: HTTP dn: cn=DNS,cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=dc01 objectClass: nsContainer objectClass: ipaConfigObject objectClass: top ipaConfigString: enabledService ipaConfigString: startOrder 30 cn: DNS I tried delete, but I get: ldapdelete -x -D 'cn=KDC,cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=dc01' ldap_bind: Server is unwilling to perform (53) additional info: Unauthenticated binds are not allowed I have located that there is -W ldapdelete -x -D 'cn=KDC,cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=dc01' -W it askes for LDAP Password: Entering the password gives: ldap_bind: Inappropriate authentication (48) Can anyone who faced similar issues help me on how do I fix it ? Cheers, Shashi -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] error trying to re-setup ipa replica
On 10/01/2014 10:20 AM, Shashi Dahal wrote: Hi, This is what I have. ipa01 - master ipa02 - replica ipa03 - replica ipa02 crashed, and re-setup I used the gpg file from master and trying to re-create the replica: ipa-replica-install ipa02.gpg gives: The host ipa02.local.zone already exists on the master server. You should remove it before proceeding: % ipa host-del ipa02.local.zone I login to the master server and if I do ipa-replica-manage list , it shows: ipa02.local.zone: master Trying to delete it with ipa host-del ipa02.local.zone fails saying: ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled ipa-replica-manage del ipa02.local.zone fails saying: 'ipa01.local.zone' has no replication agreement for 'ipa02.local.zone' I searched the mailing list and it was suggested that I should do a ldapsearch and ldapdelete. here is the search: ldapsearch -LLL -x -b cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=dc01 dn: cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=dc01 objectClass: top objectClass: nsContainer cn: ipa02.local.zone dn: cn=KDC,cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=dc01 objectClass: nsContainer objectClass: ipaConfigObject objectClass: top ipaConfigString: enabledService ipaConfigString: startOrder 10 cn: KDC dn: cn=KPASSWD,cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=sp il objectClass: nsContainer objectClass: ipaConfigObject objectClass: top ipaConfigString: enabledService ipaConfigString: startOrder 20 cn: KPASSWD dn: cn=MEMCACHE,cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=s pil objectClass: nsContainer objectClass: ipaConfigObject objectClass: top ipaConfigString: enabledService ipaConfigString: startOrder 39 cn: MEMCACHE dn: cn=HTTP,cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=dc01 objectClass: nsContainer objectClass: ipaConfigObject objectClass: top ipaConfigString: enabledService ipaConfigString: startOrder 40 cn: HTTP dn: cn=DNS,cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=dc01 objectClass: nsContainer objectClass: ipaConfigObject objectClass: top ipaConfigString: enabledService ipaConfigString: startOrder 30 cn: DNS I tried delete, but I get: ldapdelete -x -D 'cn=KDC,cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=dc01' ldap_bind: Server is unwilling to perform (53) additional info: Unauthenticated binds are not allowed I have located that there is -W ldapdelete -x -D 'cn=KDC,cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=dc01' -W it askes for LDAP Password: Entering the password gives: ldap_bind: Inappropriate authentication (48) Can anyone who faced similar issues help me on how do I fix it ? Cheers, Shashi I think you need to use Directory Manager's or admin's DN as a bind DN. The bind DN above seems wrong. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] can ipa-client-install be updated to call username/password from a file?
On 10/01/2014 05:44 AM, Yiorgos Stamoulis wrote: On 01/10/14 08:19, Les Stott wrote: Hi, I am using freeipa in a rhel6 environment with ipa-3.0.0-37.el6 client. I am working on doing an unattended ipa client installation. I have it working with the following /usr/sbin/ipa-client-install -p admin -w admin_password -U --no-ntp While this works, while it runs, the admin_password value is visable in the output of a ps --ef command on the host when installing the ipa client. # ps -ef |grep ipa root 30284 30283 43 03:31 ? 00:00:01 /usr/bin/python -E /usr/sbin/ipa-client-install -p admin -w plain_text_password -U --no-ntp This represents a challenge to security, even though its only minor (as in its only there for a minute or so), but its still there and it is the admin password. Can ipa-client-install be updated to include a parameter to retrieve the admin password from a file? i.e. /usr/bin/python -E /usr/sbin/ipa-client-install -p admin --from-file /tmp/credentials -U --no-ntp That would then protect the admin password. I am not familiar with python coding. Thanks in advance, Les Hi Les, in addition to the answers you have already received, you can create a user with the 'host enrollment' permission only, so even if the credentials are compromised the damage is minimized. I am using this on 4.0.3 but looking at an older installation the same seems available in 3.0 too. Best Regards Yiorgos Or you can use OTPs. The OTPs were actually invented for exactly this use case. You register host and generate OTP at that time. Then you pass it to your enrollment script and it is used once. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Problems and questions installing Identity Manager on RHEL V7
We are trying to install Identity Manager for testing and learning purposes in a test lab environment.We have successfully installed the base product but have run into problems when trying to setup a domain trust to an AD server. We are somewhat limited as to how we can change these systems and since they must function for replication of many different problems, we need to be cautious as to what we change. But they are crash and burn systems. Both the RHEL V7 IdM server system and the W2008 R2 AD server are in the same subnet and the same dns zone. So that is the first questioncan we create a domain trust between these two systems without placing one or the other in a different address subnet or changing the domain name ? I have tried changing the realm name for the linux server from lab.us.com for example to ipa.lab.us.com and then leaving the AD server in lab.us.com. That gets us a bit further but then we run into problems with what I believe is the kerberos configuration. I have tried to deinstall and reinstall the ipa server but the installation is now failing. The ipa-server-install is failing with the following: [37/38]: tuning directory server [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/22]: creating certificate server user [2/22]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpLb1CmI' returned non-zero exit status 1 Configuration of CA failed This happens each time I try to uninstall and reinstall the ipa server on RHEL V7. Looking at the latest log in /var/log/pki, I see this at the end of the log: 2014-10-01 11:53:10 pkispawn: INFO BEGIN spawning subsystem 'CA' of instance 'pki-tomcat' . . . 2014-10-01 11:53:10 pkispawn: INFO ... initializing 'pki.deployment.initialization' 2014-10-01 11:53:10 pkispawn: ERROR... PKI subsystem 'CA' for instance 'pki-tomcat' already exists! 2014-10-01 11:53:10 pkispawn: DEBUG... Error Type: SystemExit 2014-10-01 11:53:10 pkispawn: DEBUG... Error Message: 1 2014-10-01 11:53:10 pkispawn: DEBUG... File /usr/sbin/pkispawn, line 374, in main rv = instance.spawn() File /usr/lib/python2.7/site-packages/pki/deployment/initialization.py, line 56, in spawn util.instance.verify_subsystem_does_not_exist() File /usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py, line 990, in verify_subsystem_does_not_exist sys.exit(1) I am no python expert by any means and I'm not sure what this is telling us so any help would be greatly appreciated. Al Licause CSC Americas BCS Technical Specialist HP Customer Support Center Hours 5am-2pm Pacific time USA Manager: mark.bai...@hp.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Problems and questions installing Identity Manager on RHEL V7
On Wed, 01 Oct 2014, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: We are trying to install Identity Manager for testing and learning purposes in a test lab environment.We have successfully installed the base product but have run into problems when trying to setup a domain trust to an AD server. We are somewhat limited as to how we can change these systems and since they must function for replication of many different problems, we need to be cautious as to what we change. But they are crash and burn systems. Both the RHEL V7 IdM server system and the W2008 R2 AD server are in the same subnet and the same dns zone. So that is the first questioncan we create a domain trust between these two systems without placing one or the other in a different address subnet or changing the domain name ? No. AD forest by design owns DNS domain of its forest root domain. I'd put it in an example.com case: OK: AD as example.com, IPA as ipa.example.com subdomain OK: AD as ad.example.com subdomain, IPA as example.com OK: AD as example.com, IPA as example.org Anything else would mean tripping over authority of one or another forest root domain and thus will not work. I have tried changing the realm name for the linux server from lab.us.com for example to ipa.lab.us.com and then leaving the AD server in lab.us.com. That gets us a bit further but then we run into problems with what I believe is the kerberos configuration. Right, this should work as long as ipa.lab.us.com DNS domain has proper SRV records for IPA, as well as lab.us.com has proper SRV records for AD forest root domain. I have tried to deinstall and reinstall the ipa server but the installation is now failing. The ipa-server-install is failing with the following: [37/38]: tuning directory server [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/22]: creating certificate server user [2/22]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpLb1CmI' returned non-zero exit status 1 Configuration of CA failed This happens each time I try to uninstall and reinstall the ipa server on RHEL V7. Looking at the latest log in /var/log/pki, I see this at the end of the log: 2014-10-01 11:53:10 pkispawn: INFO BEGIN spawning subsystem 'CA' of instance 'pki-tomcat' . . . 2014-10-01 11:53:10 pkispawn: INFO ... initializing 'pki.deployment.initialization' 2014-10-01 11:53:10 pkispawn: ERROR... PKI subsystem 'CA' for instance 'pki-tomcat' already exists! 2014-10-01 11:53:10 pkispawn: DEBUG... Error Type: SystemExit 2014-10-01 11:53:10 pkispawn: DEBUG... Error Message: 1 2014-10-01 11:53:10 pkispawn: DEBUG... File /usr/sbin/pkispawn, line 374, in main rv = instance.spawn() File /usr/lib/python2.7/site-packages/pki/deployment/initialization.py, line 56, in spawn util.instance.verify_subsystem_does_not_exist() File /usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py, line 990, in verify_subsystem_does_not_exist sys.exit(1) I am no python expert by any means and I'm not sure what this is telling us so any help would be greatly appreciated. This issue is known -- when CA install fails, we rollback but since CA isn't installed, we miss rolling it back. There is a ticket for eventually fixing this issue. Following sequence should clean up all the bits: pkidestroy -s CA -i pki-tomcat rm -rf /var/log/pki/pki-tomcat rm -rf /etc/sysconfig/pki-tomcat rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat rm -rf /var/lib/pki/pki-tomcat rm -rf /etc/pki/pki-tomcat It also helps to reboot between multiple reinstalls on a single machine. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] error trying to re-setup ipa replica [SOLVED]
Dmitri Pal wrote: On 10/01/2014 10:20 AM, Shashi Dahal wrote: Hi, This is what I have. ipa01 - master ipa02 - replica ipa03 - replica ipa02 crashed, and re-setup I used the gpg file from master and trying to re-create the replica: ipa-replica-install ipa02.gpg gives: The host ipa02.local.zone already exists on the master server. You should remove it before proceeding: % ipa host-del ipa02.local.zone I login to the master server and if I do ipa-replica-manage list , it shows: ipa02.local.zone: master Trying to delete it with ipa host-del ipa02.local.zone fails saying: ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled ipa-replica-manage del ipa02.local.zone fails saying: 'ipa01.local.zone' has no replication agreement for 'ipa02.local.zone' I searched the mailing list and it was suggested that I should do a ldapsearch and ldapdelete. here is the search: ldapsearch -LLL -x -b cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=dc01 dn: cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=dc01 objectClass: top objectClass: nsContainer cn: ipa02.local.zone dn: cn=KDC,cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=dc01 objectClass: nsContainer objectClass: ipaConfigObject objectClass: top ipaConfigString: enabledService ipaConfigString: startOrder 10 cn: KDC dn: cn=KPASSWD,cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=sp il objectClass: nsContainer objectClass: ipaConfigObject objectClass: top ipaConfigString: enabledService ipaConfigString: startOrder 20 cn: KPASSWD dn: cn=MEMCACHE,cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=s pil objectClass: nsContainer objectClass: ipaConfigObject objectClass: top ipaConfigString: enabledService ipaConfigString: startOrder 39 cn: MEMCACHE dn: cn=HTTP,cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=dc01 objectClass: nsContainer objectClass: ipaConfigObject objectClass: top ipaConfigString: enabledService ipaConfigString: startOrder 40 cn: HTTP dn: cn=DNS,cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=dc01 objectClass: nsContainer objectClass: ipaConfigObject objectClass: top ipaConfigString: enabledService ipaConfigString: startOrder 30 cn: DNS I tried delete, but I get: ldapdelete -x -D 'cn=KDC,cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=dc01' ldap_bind: Server is unwilling to perform (53) additional info: Unauthenticated binds are not allowed I have located that there is -W ldapdelete -x -D 'cn=KDC,cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=dc01' -W it askes for LDAP Password: Entering the password gives: ldap_bind: Inappropriate authentication (48) Can anyone who faced similar issues help me on how do I fix it ? Cheers, Shashi I think you need to use Directory Manager's or admin's DN as a bind DN. The bind DN above seems wrong. Well, that is a brute-force way of fixing it and not recommended anyway. I'm glad the bind failed. I chatted with him over IRC and we resolved it. He still had a replication agreement for ipa02 on ipa03 so he removed that and was able to re-install ipa02. One needs to be careful when deleting a master to be sure that it is completely gone. If 389-ds still thinks there is a master floating around there it will accumulate a changelog for it. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] can ipa-client-install be updated to call username/password from a file?
Thanks to Dmitri, Petr, Tamas and Yiorgos for all your suggestions. I will try them out today. Regards, Les From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Thursday, 2 October 2014 3:09 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] can ipa-client-install be updated to call username/password from a file? On 10/01/2014 05:44 AM, Yiorgos Stamoulis wrote: On 01/10/14 08:19, Les Stott wrote: Hi, I am using freeipa in a rhel6 environment with ipa-3.0.0-37.el6 client. I am working on doing an unattended ipa client installation. I have it working with the following /usr/sbin/ipa-client-install -p admin -w admin_password -U --no-ntp While this works, while it runs, the admin_password value is visable in the output of a ps -ef command on the host when installing the ipa client. # ps -ef |grep ipa root 30284 30283 43 03:31 ?00:00:01 /usr/bin/python -E /usr/sbin/ipa-client-install -p admin -w plain_text_password -U --no-ntp This represents a challenge to security, even though its only minor (as in its only there for a minute or so), but its still there and it is the admin password. Can ipa-client-install be updated to include a parameter to retrieve the admin password from a file? i.e. /usr/bin/python -E /usr/sbin/ipa-client-install -p admin -from-file /tmp/credentials -U --no-ntp That would then protect the admin password. I am not familiar with python coding. Thanks in advance, Les Hi Les, in addition to the answers you have already received, you can create a user with the 'host enrollment' permission only, so even if the credentials are compromised the damage is minimized. I am using this on 4.0.3 but looking at an older installation the same seems available in 3.0 too. Best Regards Yiorgos Or you can use OTPs. The OTPs were actually invented for exactly this use case. You register host and generate OTP at that time. Then you pass it to your enrollment script and it is used once. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project