Re: [Freeipa-users] KRA? 4.2?
On 07/10/2015 02:56 AM, Janelle wrote: Hello, I see 4.2 is released today with lots of cool new features. I think I understand the new Vault, but am not familiar with KRA? Wondering if there might be some information on what this is? ~Janelle KRA (or DRM) is the Dogtag subsystem we use for Vault :-) There is a lot of Vault related information on https://www.freeipa.org/page/V4/Password_Vault https://www.freeipa.org/page/V4/Password_Vault_Implementation Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Multiple CA certificates
On 07/09/2015 01:25 PM, Joseph, Matthew (EXP) wrote: Hello, We are currently in the process of replacing our IdM 3.x server with 4.x. There are going to be some major directory changes during the upgrade so I need to keep both the old and new IdM servers up and running separately. This dangerous. I am not sure what platform do you use, but if you are using RHEL or CentOS, the general migration procedure to IdM 4.x (i.e. RHEL-7.0+) is to simply create RHEL-7 replicas for your RHEL-6 servers and deprecate the old ones. In case you do some split brain migration, where old and new IdM live separately, you may hit problems. More info here: https://www.freeipa.org/page/Howto/Migration Part of our configuration is using the password sync between IdM and Active Directory. I can’t find any information on this so I figured I’d ask you guys to see if anyone has done this before. Can I have two CA certificates from 2 IdM servers installed on the Active Directory server? And will this cause any issues with our password sync? Thanks, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sendmail.schema
On 07/09/2015 11:09 AM, Rudolf Gabler wrote: Hi, we are dealing with a huge number of mail aliases which are not purely user aliases but distribution-lists, actions on distribution-list and so on (mailman). There was a former sendmail.schema in fedora-ds (we are using fds 21 at the moment), which is gone (at least I didn’t find it). Is there now a different approach for freeipa to deal with this problem. Regards, Rudi Gabler I would recommend asking on 389-us...@lists.fedoraproject.org if nobody in this list has a good answer. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] services-based authentication
On 07/08/2015 10:11 AM, ilaria cianci wrote: Hi All, I am a new user and I have a question about FreeIPA authentication methods. Can FreeIPA select different auth methods (i.e. otp, password, etc) for the same user based on the service he wants to access? I mean using this user should use otp for the mail service, the password for the server access, etc.. How can I set this ? Thanks a lot in advanced for your answer, Best regards, Ilaria Hello, This does not work yet, although it is something that we crave for! If you are interested, you can subscribe to updates in respective RFE: https://fedorahosted.org/freeipa/ticket/433 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] KRA? 4.2?
Hello, I see 4.2 is released today with lots of cool new features. I think I understand the new Vault, but am not familiar with KRA? Wondering if there might be some information on what this is? ~Janelle -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Import DNS records from another system
Ah! Perfect! Thank you, Craig! On 7/9/15, 4:33 PM, "Craig White" wrote: >Should be relatively easy enough using ipa-admintools cli > >ipa help dnsrecord-add > >Craig White >System Administrator >O 623-201-8179 M 602-377-9752 > > > >SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032 > >-Original Message- >From: freeipa-users-boun...@redhat.com >[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Bendl, Kurt >Sent: Thursday, July 09, 2015 3:16 PM >To: freeipa-users@redhat.com >Subject: [Freeipa-users] Import DNS records from another system > >Hello, > >I've been given a list of DNS info [ipaddress, FQDN] to import into >FreeIPA. The current DNS setup doesn't allow me to do a zone transfer so >the zone2dyndb-ldif tool won't help me at the moment. > >I'm hoping there is another method I can leverage to do the import. Some >kind of API call would be awesome. > >Pointers on what I can try would be greatly appreciated. > >Thanks, >Kurt > > >PS: >I'm running this against a test environment, currently: >ipa-server-4.1.0-18 > > > > > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Import DNS records from another system
Hello, I've been given a list of DNS info [ipaddress, FQDN] to import into FreeIPA. The current DNS setup doesn't allow me to do a zone transfer so the zone2dyndb-ldif tool won't help me at the moment. I'm hoping there is another method I can leverage to do the import. Some kind of API call would be awesome. Pointers on what I can try would be greatly appreciated. Thanks, Kurt PS: I'm running this against a test environment, currently: ipa-server-4.1.0-18 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] adding freeipa client fails
(Not sure if this message went through initially, this is a resend.) I'm trying to add a freeIPA client on a Ubuntu 14.04.02 Version and it's failing. Here is somebackground information. We lost (RIP) our main IPA server ipa.mydomain.com a while ago, but we were able to fail over to a replica called ipa2. Since then we've built a redundant ipa3.mydomain.com replica. Since then all the systems that were there previously work fine. But adding new IPA hosts fail. The main error below (I believe) is: Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: SSL: certificate subject name 'ipa2.mydomain.com' does not match target host name 'ipa.mydomain.com' Any idea how to fix? Thanks in advance! root@myhost:~# ipa-client-install -N --hostname myhost.mydomain.com --mkhomedirDNS domain 'COM' is not configured for automatic KDC address lookup.KDC address will be set to fixed value.Discovery was successful!Hostname: myhost.mydomain.comRealm: COMDNS Domain: mydomain.comIPA Server: ipa.mydomain.comBaseDN: dc=COM Continue to configure the system with these values? [no]: yesUser authorized to enroll computers: adminSynchronizing time with KDC...Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.Password for admin@COM: Unable to download CA cert from LDAP.Do you want to download the CA cert from http://ipa.mydomain.com/ipa/config/ca.crt?(this is INSECURE) [no]: yesDownloading the CA certificate via HTTP, this is INSECURESuccessfully retrieved CA cert Subject: CN=Certificate Authority,O=COM Issuer: CN=Certificate Authority,O=COM Valid From: Thu Apr 04 23:20:27 2013 UTC Valid Until: Mon Apr 04 23:20:27 2033 UTC Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: SSL: certificate subject name 'ipa2.mydomain.com' does not match target host name 'ipa.mydomain.com' Installation failed. Rolling back changes.certmonger failed to start: Command '/usr/sbin/service certmonger start ' returned non-zero exit status 1certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list'Disabling client Kerberos and LDAP configurationsRedundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deletedSSSD service could not be stoppedRestoring client configuration filesnscd daemon is not installed, skip configurationnslcd daemon is not installed, skip configuration/etc/ipa/default.conf could not be removed: [Errno 2] No such file or directory: '/etc/ipa/default.conf'Please remove /etc/ipa/default.conf manually, as it can cause subsequent installation to fail.Client uninstall complete.-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] adding freeipa client fails
On Thu, 2015-07-09 at 19:14 +, John Williams wrote: > I'm trying to add a freeIPA client on a Ubuntu 14.04.02 Version and it's > failing. Here is somebackground information. We lost (RIP) our main IPA > server ipa.mydomain.com a while ago, but we were able to fail over to a > replica called ipa2. Since then we've built a redundant ipa3.mydomain.com > replica. Since then all the systems that were there previously work fine. > But adding new IPA hosts fail. > The main error below (I believe) is: > Joining realm failed: libcurl failed to execute the HTTP POST transaction, > explaining: SSL: certificate subject name 'ipa2.mydomain.com' does not match > target host name 'ipa.mydomain.com' > Any idea how to fix? You probably added a cname pointing ipa -> ipa2, that won't work, drop the cname or force the client to use the ipa2 with the --server option. Simo. > Thanks in advance! > > root@myhost:~# ipa-client-install -N --hostname myhost.mydomain.com > --mkhomedirDNS domain 'COM' is not configured for automatic KDC address > lookup.KDC address will be set to fixed value.Discovery was > successful!Hostname: myhost.mydomain.comRealm: COMDNS Domain: mydomain.comIPA > Server: ipa.mydomain.comBaseDN: dc=COM > Continue to configure the system with these values? [no]: yesUser authorized > to enroll computers: adminSynchronizing time with KDC...Unable to sync time > with IPA NTP server, assuming the time is in sync. Please check that 123 UDP > port is opened.Password for admin@COM: Unable to download CA cert from > LDAP.Do you want to download the CA cert from > http://ipa.mydomain.com/ipa/config/ca.crt?(this is INSECURE) [no]: > yesDownloading the CA certificate via HTTP, this is INSECURESuccessfully > retrieved CA certSubject: CN=Certificate Authority,O=COMIssuer: >CN=Certificate Authority,O=COMValid From: Thu Apr 04 23:20:27 2013 > UTCValid Until: Mon Apr 04 23:20:27 2033 UTC > Joining realm failed: libcurl failed to execute the HTTP POST transaction, > explaining: SSL: certificate subject name 'ipa2.mydomain.com' does not match > target host name 'ipa.mydomain.com' > Installation failed. Rolling back changes.certmonger failed to start: Command > '/usr/sbin/service certmonger start ' returned non-zero exit status > 1certmonger failed to stop: [Errno 2] No such file or directory: > '/var/run/ipa/services.list'Disabling client Kerberos and LDAP > configurationsRedundant SSSD configuration file /etc/sssd/sssd.conf was moved > to /etc/sssd/sssd.conf.deletedSSSD service could not be stoppedRestoring > client configuration filesnscd daemon is not installed, skip > configurationnslcd daemon is not installed, skip > configuration/etc/ipa/default.conf could not be removed: [Errno 2] No such > file or directory: '/etc/ipa/default.conf'Please remove /etc/ipa/default.conf > manually, as it can cause subsequent installation to fail.Client uninstall > complete. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] adding freeipa client fails
I'm trying to add a freeIPA client on a Ubuntu 14.04.02 Version and it's failing. Here is somebackground information. We lost (RIP) our main IPA server ipa.mydomain.com a while ago, but we were able to fail over to a replica called ipa2. Since then we've built a redundant ipa3.mydomain.com replica. Since then all the systems that were there previously work fine. But adding new IPA hosts fail. The main error below (I believe) is: Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: SSL: certificate subject name 'ipa2.mydomain.com' does not match target host name 'ipa.mydomain.com' Any idea how to fix? Thanks in advance! root@myhost:~# ipa-client-install -N --hostname myhost.mydomain.com --mkhomedirDNS domain 'COM' is not configured for automatic KDC address lookup.KDC address will be set to fixed value.Discovery was successful!Hostname: myhost.mydomain.comRealm: COMDNS Domain: mydomain.comIPA Server: ipa.mydomain.comBaseDN: dc=COM Continue to configure the system with these values? [no]: yesUser authorized to enroll computers: adminSynchronizing time with KDC...Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.Password for admin@COM: Unable to download CA cert from LDAP.Do you want to download the CA cert from http://ipa.mydomain.com/ipa/config/ca.crt?(this is INSECURE) [no]: yesDownloading the CA certificate via HTTP, this is INSECURESuccessfully retrieved CA cert Subject: CN=Certificate Authority,O=COM Issuer: CN=Certificate Authority,O=COM Valid From: Thu Apr 04 23:20:27 2013 UTC Valid Until: Mon Apr 04 23:20:27 2033 UTC Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: SSL: certificate subject name 'ipa2.mydomain.com' does not match target host name 'ipa.mydomain.com' Installation failed. Rolling back changes.certmonger failed to start: Command '/usr/sbin/service certmonger start ' returned non-zero exit status 1certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list'Disabling client Kerberos and LDAP configurationsRedundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deletedSSSD service could not be stoppedRestoring client configuration filesnscd daemon is not installed, skip configurationnslcd daemon is not installed, skip configuration/etc/ipa/default.conf could not be removed: [Errno 2] No such file or directory: '/etc/ipa/default.conf'Please remove /etc/ipa/default.conf manually, as it can cause subsequent installation to fail.Client uninstall complete.-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] LDAP authentication for JIRA using FreeIPA
Hi Martin I have taken the plunge, and created a detailed HOWTO at http://www.freeipa.org/page/HowTos/LDAP_authentication_for_Atlassian_JIRA_using_FreeIPA @Petr, for the moment I have left your HOWTO / link in place, but have also linked to that thread from my HOWTO. I hope it helps Chris From: Martin Kosek To: Brian Topping , Sandor Juhasz Cc: freeipa-users@redhat.com Date: 10.06.2015 12:13 Subject:Re: [Freeipa-users] LDAP authentication for JIRA using FreeIPA Sent by:freeipa-users-boun...@redhat.com Cool, I am glad you made this working. BTW, would any of you mind volunteering and helping the FreeIPA community with contributing a HOWTO article on "how to configure FreeIPA and Jira"? It is still missing in FreeIPA.org wiki. All we have right now is the link to this discussion, that Petr Spacek added to http://www.freeipa.org/page/HowTos#Web_Services It would be really nice to also have a real page that others can follow and use. Thank you! Martin On 06/10/2015 11:29 AM, Brian Topping wrote: > FYI, that mirrors my configuration. Not sure if this was covered previously, but for my setup, only JIRA connects to IPA. All the other atleasian products contact JIRA for their information. > > Cheers, Brian > >> On Jun 10, 2015, at 12:47 AM, Sandor Juhasz wrote: >> >> Hi, >> >> here are our working configurations. Might be useful. >> We use compat tree for auth. >> We use user in group matching. >> We use group filter for login authorization. >> We use FedoraDS as ldap connector on JIRA's side. >> We don't use pw change or user create in IPA from JIRA side. >> Watch out not to have matching local users/groups or you will suffer bigtime. >> Initially it was setup not to use ldap groups, but was changed afterwards by >> creating all new groups in ldap for this purpose and readding the users. >> We use ldap service user for binding - https://www.freeipa.org/page/Zimbra_Collaboration_Server_7.2_Authentication_and_GAL_lookups_against_FreeIPA . >> >> Attributes: >> "autoAddGroups": "" >> "com.atlassian.crowd.directory.sync.currentstartsynctime": "null" >> "com.atlassian.crowd.directory.sync.issynchronising": "false" >> "com.atlassian.crowd.directory.sync.lastdurationms": "373" >> "com.atlassian.crowd.directory.sync.laststartsynctime": "1433920165776" >> "crowd.sync.incremental.enabled": "false" >> "directory.cache.synchronise.interval": "3600" >> "ldap.basedn": "dc=" >> "ldap.connection.timeout": "0" >> "ldap.external.id": "" >> "ldap.group.description": "description" >> "ldap.group.dn": "cn=groups,cn=compat" >> "ldap.group.filter": "(&(objectClass=posixgroup)(| (cn=)(cn=)(cn=)))" >> "ldap.group.name": "cn" >> "ldap.group.objectclass": "groupOfUniqueNames" >> "ldap.group.usernames": "memberUid" >> "ldap.local.groups": "false" >> "ldap.nestedgroups.disabled": "true" >> "ldap.pagedresults": "false" >> "ldap.pagedresults.size": "1000" >> "ldap.password": >> "ldap.pool.initsize": "null" >> "ldap.pool.maxsize": "null" >> "ldap.pool.prefsize": "null" >> "ldap.pool.timeout": "0" >> "ldap.propogate.changes": "false" >> "ldap.read.timeout": "12" >> "ldap.referral": "false" >> "ldap.relaxed.dn.standardisation": "true" >> "ldap.roles.disabled": "true" >> "ldap.search.timelimit": "6" >> "ldap.secure": "false" >> "ldap.url": "ldap://" >> "ldap.user.displayname": "cn" >> "ldap.user.dn": "cn=users,cn=accounts" >> "ldap.user.email": "mail" >> "ldap.user.encryption": "sha" >> "ldap.user.filter": "(&(objectclass=posixAccount)(memberOf=cn=,cn=groups,cn=accounts,dc=))" >> "ldap.user.firstname": "givenName" >> "ldap.user.group": "memberOf" >> "ldap.user.lastname": "sn" >> "ldap.user.objectclass": "person" >> "ldap.user.password": "userPassword" >> "ldap.user.username": "uid" >> "ldap.user.username.rdn": "" >> "ldap.userdn": "uid=,cn=sysaccounts,cn=etc,dc=" >> "ldap.usermembership.use": "false" >> "ldap.usermembership.use.for.groups": "false" >> "localUserStatusEnabled": "false" >> >> Sándor Juhász >> System Administrator >> ChemAxon Ltd. >> Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 >> Cell: +36704258964 >> >> From: "Martin Kosek" >> To: "Christopher Lamb" , freeipa-users@redhat.com >> Sent: Wednesday, June 10, 2015 9:22:03 AM >> Subject: Re: [Freeipa-users] LDAP authentication for JIRA using FreeIPA >> >> On 06/08/2015 06:44 PM, Christopher Lamb wrote: >>> >>> Hi All >>> >>> we are interested to know if anybody has succeeded (or for that matter >>> failed) in using FreeIPA to provide user authentication for Atlassian >>> products such as JIRA or Confluence? >>> >>> Somewhere in an Atlassian ticket I saw that FreeIPA is not officially >>> supported, so I guess that should set our expectations . >>> >>> If anyone has succeeded, then of course any tips on how best to do so would >>> be fantastic! >> >> I saw reply in the threads, so it should be covered. >> >> BTW, please add +1s to respective Jira tickets to add proper FreeIPA support.
Re: [Freeipa-users] Migrating from custom auth system
On Thu, 09 Jul 2015, Nicola Canepa wrote: If I enable the PAM plugin of 389-ds, I'm able to let users be authenticated by PAM, even if the user is not present il LDAP, hence the plain-text password is passed to PAM. The only missing step is: if PAM correctly authenticates a non-existing user, it should be created (using the just supplied password). I have feeling you are overcomplicating things for yourself. You don't need PAM plugin of 389-ds to be enabled or used with FreeIPA. All you need is to create your users in IPA, assign them some temporary passwords, let them visit https://ipa.example.com/ipa/ui/reset_password.html, set up your web app to authenticate via PAM like http://www.freeipa.org/page/Web_App_Authentication explains, and you are done. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migrating from custom auth system
On 07/09/2015 08:36 AM, Nicola Canepa wrote: If I enable the PAM plugin of 389-ds, I'm able to let users be authenticated by PAM, even if the user is not present il LDAP, hence the plain-text password is passed to PAM. The only missing step is: if PAM correctly authenticates a non-existing user, it should be created (using the just supplied password). The 389-ds PAM passthrough auth plugin can't add users. You would have to add some additional functionality to either PAM, or another 389-ds plugin. Nicola Il 09/07/15 15:20, Alexander Bokovoy ha scritto: On Thu, 09 Jul 2015, Nicola Canepa wrote: Thank you Alexander. If the previous password is not used, I could set an impossible-hash password (such as "{crypt}*") and let users login authenticating trhough PAM? How would you authenticate then? Remember that it is the hash in userPassword attribute that is used for actual authentication. If password-handling plugin cannot calculate to the same hash based on the plain-text password it was supplied via LDAP bind, how would user successfully authenticate? If you migrate this way, you need password hashes, at least. If you are going to issue users with new passwords, just create all of them in IPA with these new passwords and ask them to login, at least once, to IPA self-service. Or I could put the "user-add" in the pam_exec script (but only if the user does not already exists). I don't think is is sufficiently good, at least I wouldn't do it this way. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migrating from custom auth system
If I enable the PAM plugin of 389-ds, I'm able to let users be authenticated by PAM, even if the user is not present il LDAP, hence the plain-text password is passed to PAM. The only missing step is: if PAM correctly authenticates a non-existing user, it should be created (using the just supplied password). Nicola Il 09/07/15 15:20, Alexander Bokovoy ha scritto: On Thu, 09 Jul 2015, Nicola Canepa wrote: Thank you Alexander. If the previous password is not used, I could set an impossible-hash password (such as "{crypt}*") and let users login authenticating trhough PAM? How would you authenticate then? Remember that it is the hash in userPassword attribute that is used for actual authentication. If password-handling plugin cannot calculate to the same hash based on the plain-text password it was supplied via LDAP bind, how would user successfully authenticate? If you migrate this way, you need password hashes, at least. If you are going to issue users with new passwords, just create all of them in IPA with these new passwords and ask them to login, at least once, to IPA self-service. Or I could put the "user-add" in the pam_exec script (but only if the user does not already exists). I don't think is is sufficiently good, at least I wouldn't do it this way. -- Nicola Canepa Tel: +39-0522-399-3474 canep...@mmfg.it --- Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] EXTERNAL: Re: Multiple CA certificates (for PassSync)
Yeah I knew that the passync utility would only communicate with 1 server. I'm not too worried about password sync for our new IdM server until it actually replaces the old server. I just didn't know how Windows would handle having multiple CA certs and if it would get cranky because of it. Last thing I want to do is have users coming to complain about the passwords not syncing. Thanks for the input guys, I'll give it a shot to see how it goes. Matt -Original Message- From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Thursday, July 09, 2015 10:37 AM To: Rob Crittenden; Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Multiple CA certificates (for PassSync) On 07/09/2015 07:23 AM, Rob Crittenden wrote: > Joseph, Matthew (EXP) wrote: >> Hello, >> >> We are currently in the process of replacing our IdM 3.x server with >> 4.x. >> >> There are going to be some major directory changes during the upgrade so >> I need to keep both the old and new IdM servers up and running >> separately. >> >> Part of our configuration is using the password sync between IdM and >> Active Directory. >> >> I can't find any information on this so I figured I'd ask you guys to >> see if anyone has done this before. >> >> Can I have two CA certificates from 2 IdM servers installed on the >> Active Directory server? And will this cause any issues with our >> password sync? > > I'm not sure if you can do this. The CA is probably the least of your > problems. I don't believe the AD passsync service can be aware of > multiple consumers like this. Right. passsync can talk to only 1 IdM server. To use multiple CA certs, just use the certutil tool to install an additional CA cert as per the docs. > > Rich may know. > > rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Multiple CA certificates (for PassSync)
On 07/09/2015 07:23 AM, Rob Crittenden wrote: Joseph, Matthew (EXP) wrote: Hello, We are currently in the process of replacing our IdM 3.x server with 4.x. There are going to be some major directory changes during the upgrade so I need to keep both the old and new IdM servers up and running separately. Part of our configuration is using the password sync between IdM and Active Directory. I can’t find any information on this so I figured I’d ask you guys to see if anyone has done this before. Can I have two CA certificates from 2 IdM servers installed on the Active Directory server? And will this cause any issues with our password sync? I'm not sure if you can do this. The CA is probably the least of your problems. I don't believe the AD passsync service can be aware of multiple consumers like this. Right. passsync can talk to only 1 IdM server. To use multiple CA certs, just use the certutil tool to install an additional CA cert as per the docs. Rich may know. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Apache htaccess replacement
On Fri, Jun 26, 2015 at 09:19:51PM -0400, Dmitri Pal wrote: > On 05/19/2015 05:29 AM, thewebbie wrote: > > > >My requirements is to replace dozens of htaccess folders on one server. > >Each folder requiring a user group. So Host based will not work in this > >case > > Was this resolved in some way? I don't think it was. I believe the OP is following http://www.freeipa.org/page/Apache_Group_Based_Authorization which looks a bit outdated. What we probably should decide is, what group-based access control do we want to suggest to people who cannot use HBAC and want to get the groups. On Mon, May 18, 2015 at 12:38:47PM -0400, thewebbie wrote: > > I have been attempting to use my 4.1.4 FreeIPA server to authenticate > folders on a web server as a replacement for the normal htaccess feature. I > do require group authentication. I have tried just about online example and > have only been able to get basic ldap and basic kerbos authentication. How > do I go about getting group based authentication working. > > I have tried to add the following to either example below and no luck. I > added the httpbind user from an ldif file from examples. I created a user > group named htaccess and added the users to it. > > AuthLDAPBindDN uid=httpbind,cn=sysaccounts,cn=etc,dc=test,dc=com > AuthLDAPBindPassword XX > AuthLDAPGroupAttributeIsDN off > AuthLDAPUrl ldap://ipa.test.com/dc=test,dc=com?uid [] > [Mon May 18 14:31:19 2015] [debug] mod_authnz_ldap.c(739): [client > xxx.xxx.xxx.xxx] auth_ldap authorise: User DN not found, LDAP: > ldap_simple_bind_s() failed Are you able to able to bind with that DN and password using for example ldapsearch? > I have this working. > > > > SSLRequireSSL > AuthName "LDAP Authentication" > AuthType Basic > AuthzLDAPMethod ldap > AuthzLDAPServer ipa.test.com > AuthzLDAPUserBase cn=users,cn=compat,dc=test,dc=com > AuthzLDAPUserKey uid > AuthzLDAPUserScope base > require valid-user > > > And this is working > > > > SSLRequireSSL > AuthName "KERBEROS Authentication" > AuthType Kerberos > KrbServiceName HTTP > KrbMethodK5Passwd On > KrbSaveCredentials On > KrbMethodNegotiate On > KrbAuthRealms TEST.COM > Krb5KeyTab /etc/httpd/conf.d/keytab > > AuthLDAPUrl ldap://ipa.test.com/dc=test,dc=com?krbPrincipalName > Require valid-user I wonder -- with SSSD configured on the machine -- doesn't require group actually work? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Multiple CA certificates (for PassSync)
Joseph, Matthew (EXP) wrote: Hello, We are currently in the process of replacing our IdM 3.x server with 4.x. There are going to be some major directory changes during the upgrade so I need to keep both the old and new IdM servers up and running separately. Part of our configuration is using the password sync between IdM and Active Directory. I can’t find any information on this so I figured I’d ask you guys to see if anyone has done this before. Can I have two CA certificates from 2 IdM servers installed on the Active Directory server? And will this cause any issues with our password sync? I'm not sure if you can do this. The CA is probably the least of your problems. I don't believe the AD passsync service can be aware of multiple consumers like this. Rich may know. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migrating from custom auth system
On Thu, 09 Jul 2015, Nicola Canepa wrote: Thank you Alexander. If the previous password is not used, I could set an impossible-hash password (such as "{crypt}*") and let users login authenticating trhough PAM? How would you authenticate then? Remember that it is the hash in userPassword attribute that is used for actual authentication. If password-handling plugin cannot calculate to the same hash based on the plain-text password it was supplied via LDAP bind, how would user successfully authenticate? If you migrate this way, you need password hashes, at least. If you are going to issue users with new passwords, just create all of them in IPA with these new passwords and ask them to login, at least once, to IPA self-service. Or I could put the "user-add" in the pam_exec script (but only if the user does not already exists). I don't think is is sufficiently good, at least I wouldn't do it this way. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] CANT LOGIN INTO centos 6.6 2.6.32-504.23.4.el6.i686
Martin Chamambo wrote: I have the following configuration below and im able to login via SSH into a 32 bit server. With the same username im able to login on other servers Please see https://fedorahosted.org/sssd/wiki/Troubleshooting for the information necessary to assist. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Apache not starting because of cert password issue ?
Matt . wrote: I now get: [Thu Jul 09 02:50:18.815219 2015] [:error] [pid 16615] Certificate not found: 'Server-Cert' So, it's no good at all :) I think you need to take a step back and tell us what you've done to get into this situation. The error messages are fairly clear. The first one was you had a bad password for the database. This current error is that the certificate referenced by the NSSNickname directive in nss.conf does not exist in the Apache NSS database. These aren't the kinds of errors that pop up out of the blue. What, specifically, are you trying to do and what have you done to get to this point? rob 2015-07-09 3:27 GMT+02:00 Nigel Sollars : Fair enough :) On Wed, Jul 8, 2015 at 9:25 PM, Matt . wrote: Hi, No I'm testing some recovering strategies for the docs, so I need to have that checked. I have emailed Martin Kosek if he can enable the olders repo's again, would be great! Thanks, Matt 2015-07-09 3:23 GMT+02:00 Nigel Sollars : Would it not be wise to keep with current? There does seem to be alot of threads with issues regarding older versions. That being said there is a thread also with regards to LDAP which could be related also. Regards On Wed, Jul 8, 2015 at 9:19 PM, Matt . wrote: Hi I found that but it didn't fix it, thanks btw. Now I'm looking for a way to install 4.1.2 on CentOS 7.x as it seems that the maintainer empties the repo after every release... so older versions are not there anymore. 2015-07-09 3:17 GMT+02:00 Nigel Sollars : Looks similar to a TLS/SSL issue in this thread, http://www.linuxquestions.org/questions/linux-server-73/centos-5-5-5-6-ssl-problem-874090/ Hope this helps, Regards On Wed, Jul 8, 2015 at 5:04 PM, Matt . wrote: I'm facing a httpd server which won't start with ipa, so IPA fails to start. As I'm really not able to find anything about it on the internet I wonder if someone knows why it's logging this and how I can fix it. [Wed Jul 08 22:55:11.728828 2015] [:error] [pid 9243] Password for slot internal is incorrect. [Wed Jul 08 22:55:11.742301 2015] [:error] [pid 9243] NSS initialization failed. Certificate database: /etc/httpd/alias. [Wed Jul 08 22:55:11.742350 2015] [:error] [pid 9243] SSL Library Error: -8177 The security password entered is incorrect Cheers, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- “Science is a differential equation. Religion is a boundary condition.” Alan Turing -- “Science is a differential equation. Religion is a boundary condition.” Alan Turing -- “Science is a differential equation. Religion is a boundary condition.” Alan Turing -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migrating from custom auth system
Thank you Alexander. If the previous password is not used, I could set an impossible-hash password (such as "{crypt}*") and let users login authenticating trhough PAM? Or I could put the "user-add" in the pam_exec script (but only if the user does not already exists). I'll test both ways. Nicola Il 09/07/15 14:44, Alexander Bokovoy ha scritto: On Thu, 09 Jul 2015, Nicola Canepa wrote: OK, I'm sorry for the little information provided: I can't do migrate-ds, since I'm not coming from a "DS" (which can only be another LDAP server, I guess). The only thing I can expect is that users will login to one of the applicazions which I put under FreeIPA authentication. So I mixed the "NIS migration" documentation (maintaining passwords) with the "migration mode", hoping it was what I was looking for. If you did create your users the same way as proposed with NIS migration, then they wouldn't be different from what would have happened with 'ipa migrate-ds'. End result, you have user entries in LDAP with passwords set to their hashes in the previous system and no Kerberos attributes. Is there a way so that users are created in FreeIPA once they login in this way? *You* need to create them. http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords walks you through that: --->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8 From your export file, import the users into IPA using the admin tools and set the original hashed password: # ipa user-add [username] --setattr userpassword={crypt}yourencryptedpass ---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<--- -- Nicola Canepa Tel: +39-0522-399-3474 canep...@mmfg.it --- Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migrating from custom auth system
On Thu, 09 Jul 2015, Nicola Canepa wrote: OK, I'm sorry for the little information provided: I can't do migrate-ds, since I'm not coming from a "DS" (which can only be another LDAP server, I guess). The only thing I can expect is that users will login to one of the applicazions which I put under FreeIPA authentication. So I mixed the "NIS migration" documentation (maintaining passwords) with the "migration mode", hoping it was what I was looking for. If you did create your users the same way as proposed with NIS migration, then they wouldn't be different from what would have happened with 'ipa migrate-ds'. End result, you have user entries in LDAP with passwords set to their hashes in the previous system and no Kerberos attributes. Is there a way so that users are created in FreeIPA once they login in this way? *You* need to create them. http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords walks you through that: --->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8 From your export file, import the users into IPA using the admin tools and set the original hashed password: # ipa user-add [username] --setattr userpassword={crypt}yourencryptedpass ---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<--- -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migrating from custom auth system
OK, I'm sorry for the little information provided: I can't do migrate-ds, since I'm not coming from a "DS" (which can only be another LDAP server, I guess). The only thing I can expect is that users will login to one of the applicazions which I put under FreeIPA authentication. So I mixed the "NIS migration" documentation (maintaining passwords) with the "migration mode", hoping it was what I was looking for. Is there a way so that users are created in FreeIPA once they login in this way? From what you said, I need to use SSSD (I'm going to read the docs ASAP). Is migration mode only used when I also use "ipa migrate-ds"? Thank you very much. Nicola Il 09/07/15 14:08, Alexander Bokovoy ha scritto: Nicola, perhaps it would help if you explain what did you mean by saying below My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP users not created by IPA. When you enabled migration mode and actually migrated users with 'ipa migrate-ds' command, you will have those users in IPA and they will be able to authenticate via LDAP with their old passwords. If your server (where your web app would be running) is enrolled into IPA, then it would be already running SSSD and set up for using it via pam_sss. Then configuring your web app to authenticate via PAM stack (for example, like we explain on http://www.freeipa.org/page/Web_App_Authentication) takes care of properly logging in and updating passwords. SSSD knows about migration mode and has support for it. On Thu, 09 Jul 2015, Nicola Canepa wrote: I don't understand the question: aren't users created by IPA command line the same as if they are created via the web GUI? Nicola Il 09/07/15 13:05, Jan Pazdziora ha scritto: On Thu, Jul 09, 2015 at 11:33:23AM +0200, Nicola Canepa wrote: Hello. I was trying Freeipa as an addition and (maybe) future replacement for the current SSO solution (custom and only for web apps). I was able to authenticate (via pam_exec) LDAP users on the legacy system. My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP users not created by IPA. I enabled migration mode in Freeipa, so that authenticated users should get Kerberos hash created upon first login, but I don't know how to make users login without creating them in advance. Is there a (suggested) way to let users authenticate via Kerberos and create users authenticated by PAM upon first login? Create user where -- in the Web application or in FreeIPA? -- Nicola Canepa Tel: +39-0522-399-3474 canep...@mmfg.it --- Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Nicola Canepa Tel: +39-0522-399-3474 canep...@mmfg.it --- Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o a
Re: [Freeipa-users] Migrating from custom auth system
Nicola, perhaps it would help if you explain what did you mean by saying below My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP users not created by IPA. When you enabled migration mode and actually migrated users with 'ipa migrate-ds' command, you will have those users in IPA and they will be able to authenticate via LDAP with their old passwords. If your server (where your web app would be running) is enrolled into IPA, then it would be already running SSSD and set up for using it via pam_sss. Then configuring your web app to authenticate via PAM stack (for example, like we explain on http://www.freeipa.org/page/Web_App_Authentication) takes care of properly logging in and updating passwords. SSSD knows about migration mode and has support for it. On Thu, 09 Jul 2015, Nicola Canepa wrote: I don't understand the question: aren't users created by IPA command line the same as if they are created via the web GUI? Nicola Il 09/07/15 13:05, Jan Pazdziora ha scritto: On Thu, Jul 09, 2015 at 11:33:23AM +0200, Nicola Canepa wrote: Hello. I was trying Freeipa as an addition and (maybe) future replacement for the current SSO solution (custom and only for web apps). I was able to authenticate (via pam_exec) LDAP users on the legacy system. My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP users not created by IPA. I enabled migration mode in Freeipa, so that authenticated users should get Kerberos hash created upon first login, but I don't know how to make users login without creating them in advance. Is there a (suggested) way to let users authenticate via Kerberos and create users authenticated by PAM upon first login? Create user where -- in the Web application or in FreeIPA? -- Nicola Canepa Tel: +39-0522-399-3474 canep...@mmfg.it --- Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] nsslapd-maxbersize and cachememsize
> -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Andy Thompson > Sent: Monday, July 6, 2015 2:28 PM > To: Rich Megginson; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] nsslapd-maxbersize and cachememsize > > > -Original Message- > > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > > boun...@redhat.com] On Behalf Of Rich Megginson > > Sent: Monday, July 6, 2015 2:05 PM > > To: freeipa-users@redhat.com > > Subject: Re: [Freeipa-users] nsslapd-maxbersize and cachememsize > > > > On 07/06/2015 11:49 AM, Andy Thompson wrote: > > > I've got a couple warnings in different IPA installs that I'm not > > > sure how to > > find what values I should increase each config setting to. > > > > > > In one install I'm seeing the following > > > > > > [03/Jul/2015:22:03:02 -0400] connection - conn=16143 fd=122 Incoming > > > BER > > Element was too long, max allowable is 209715200 bytes. Change the > > nsslapd-maxbersize attribute in cn=config to increase. > > > > > > This ended up being a security scanner on the network causing the problem and nothing related to system functionality in any way. > > > Second installation I'm seeing this on startup > > > > > > WARNING: changelog: entry cache size 858992B is less than db size > > 2293760B; We recommend to increase the entry cache size nsslapd- > > cachememsize. > > > > > > How can I determine what to increase each config setting to? https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html-single/Configuration_and_Command-Line_Tool_Reference/index.html#cnconfig-nsslapd_maxbersize_Maximum_Message_Size -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Failed to start pki-tomcatd Service
2015-06-29 19:37 GMT+02:00 Alexandre Ellert : > Hello, > > I have a problem on a replica server running Centos 7.1 and ipa > 4.1.0-18.el7.centos.3.x86_64 (last version) > Ipa server doesn’t restart correctly (using systemctl restart ipa or reboot > the whole server) : > # ipactl status > Directory Service: STOPPED > Directory Service must be running in order to obtain status of other services > ipa: INFO: The ipactl command was successful > > and I have to force the start process : > # ipactl start -f > Existing service file detected! > Assuming stale, cleaning and proceeding > Starting Directory Service > Starting krb5kdc Service > Starting kadmin Service > Starting named Service > Starting ipa_memcached Service > Starting httpd Service > Starting pki-tomcatd Service > > > Failed to start pki-tomcatd Service > Forced start, ignoring pki-tomcatd Service, continuing normal operation > Starting ipa-otpd Service > ipa: INFO: The ipactl command was successful > > But, as you see the pki-tomcatd is unable to start. > I started looking at /var/log/pki/pki-tomcat/localhost.2015-06-29.log and > found this error : > Jun 29, 2015 7:33:12 PM org.apache.catalina.core.StandardWrapperValve invoke > SEVERE: Servlet.service() for servlet [caProfileSubmit] in context with path > [/ca] threw exception > java.io.IOException: CS server is not ready to serve. > at > com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:443) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) > at sun.reflect.GeneratedMethodAccessor32.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) > at > org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) > at java.security.AccessController.doPrivileged(Native Method) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) > at > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) > at sun.reflect.GeneratedMethodAccessor31.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) > at > org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) > at java.security.AccessController.doPrivileged(Native Method) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) > at
Re: [Freeipa-users] Migrating from custom auth system
I don't understand the question: aren't users created by IPA command line the same as if they are created via the web GUI? Nicola Il 09/07/15 13:05, Jan Pazdziora ha scritto: On Thu, Jul 09, 2015 at 11:33:23AM +0200, Nicola Canepa wrote: Hello. I was trying Freeipa as an addition and (maybe) future replacement for the current SSO solution (custom and only for web apps). I was able to authenticate (via pam_exec) LDAP users on the legacy system. My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP users not created by IPA. I enabled migration mode in Freeipa, so that authenticated users should get Kerberos hash created upon first login, but I don't know how to make users login without creating them in advance. Is there a (suggested) way to let users authenticate via Kerberos and create users authenticated by PAM upon first login? Create user where -- in the Web application or in FreeIPA? -- Nicola Canepa Tel: +39-0522-399-3474 canep...@mmfg.it --- Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Multiple CA certificates
Hello, We are currently in the process of replacing our IdM 3.x server with 4.x. There are going to be some major directory changes during the upgrade so I need to keep both the old and new IdM servers up and running separately. Part of our configuration is using the password sync between IdM and Active Directory. I can't find any information on this so I figured I'd ask you guys to see if anyone has done this before. Can I have two CA certificates from 2 IdM servers installed on the Active Directory server? And will this cause any issues with our password sync? Thanks, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migrating from custom auth system
On Thu, Jul 09, 2015 at 11:33:23AM +0200, Nicola Canepa wrote: > Hello. > I was trying Freeipa as an addition and (maybe) future replacement for the > current SSO solution (custom and only for web apps). > I was able to authenticate (via pam_exec) LDAP users on the legacy system. > My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP > users not created by IPA. > > I enabled migration mode in Freeipa, so that authenticated users should get > Kerberos hash created upon first login, but I don't know how to make users > login without creating them in advance. > > Is there a (suggested) way to let users authenticate via Kerberos and create > users authenticated by PAM upon first login? Create user where -- in the Web application or in FreeIPA? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] UPN suffixes in AD trust
On Thu, Jul 09, 2015 at 12:36:53PM +0200, Giorgio Biacchi wrote: > On 06/29/2015 03:11 PM, Sumit Bose wrote: > > On Mon, Jun 29, 2015 at 11:24:00AM +0200, Giorgio Biacchi wrote: > >> On 06/29/2015 10:30 AM, Sumit Bose wrote: > >>> On Mon, Jun 29, 2015 at 10:04:04AM +0200, Giorgio Biacchi wrote: > On 06/26/2015 08:06 PM, Sumit Bose wrote: > > On Fri, Jun 26, 2015 at 04:34:05PM +0200, Giorgio Biacchi wrote: > >> > >> > >> On 06/26/2015 02:38 PM, Sumit Bose wrote: > >>> On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote: > On 06/25/2015 05:44 PM, Sumit Bose wrote: > > On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote: > >> On 06/25/2015 02:10 PM, Sumit Bose wrote: > >>> On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: > On 06/25/2015 12:56 PM, Sumit Bose wrote: > > On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: > >> On 06/24/2015 06:45 PM, Sumit Bose wrote: > >>> On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi > >>> wrote: > Hi everybody, > I established a bidirectional trust between an IPA server > (version 4.1.0 on > CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), > mydomain.local. > Everything is working fine, and I'm able to authenticate and > logon on a linux > host joined to IPA server using AD credentials > (username@mydomain.local). > But active directory is configured with two more UPN > suffixes (otherdomain.com > and sub.otherdomain.com), and I cannot logon with > credentials using alternative > UPN (example: john@otherdomain.com). > > How can I make this possible? Another trust (ipa trust-add) > with the same AD? > Manual configuration of krb5 and/or sssd? > >>> > >>> Have you tried to login to an IPA client or the server? > >>> Please try with > >>> an IPA server first. If this does not work it would be nice > >>> if you can > >>> send the SSSD log files from the IPA server which are > >>> generated during > >>> the logon attempt. Please call 'sss_cache -E' before to > >>> invalidate all > >>> cached entries so that the logs will contain all needed calls > >>> to AD. > >>> > >>> Using UPN suffixes were added to the AD provider some time > >>> ago and the > >>> code is available in the IPA provider as well, but I guess no > >>> one has > >>> actually tried this before. > >>> > >>> bye, > >>> Sumit > >> > >> First of all let me say that i feel like I'm missing some > >> config somewhere.. > >> Changes tried in krb5.conf to support UPN suffixes didn't > >> helped. > >> I can only access the server vi ssh so I've attached the logs > >> for a successful > >> login for account1@mydomain.local and an unsuccessful login for > >> accou...@otherdomain.com done via ssh. > >> > >> Bye and thanks for your help > >> > > > > It looks like the request is not properly propagated to > > sub-domains (the > > trusted AD domain) but only send to the IPA domain. > > > > Would it be possible for you to run a test build of SSSD which > > might fix > > this? If yes, which version of SSSD are you currently using? > > Then I can > > prepare a test build with the patch on top of this version. > > > > bye, > > Sumit > > > > Hi, > I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and > I'm available for > any test. > > Here's the packages version for sssd: > > sssd-common-1.12.2-58.el7_1.6.x86_64 > sssd-krb5-1.12.2-58.el7_1.6.x86_64 > python-sssdconfig-1.12.2-58.el7_1.6.noarch > sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 > sssd-ipa-1.12.2-58.el7_1.6.x86_64 > sssd-1.12.2-58.el7_1.6.x86_64 > sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 > sssd-ad-1.12.2-58.el7_1.6.x86_64 > sssd-ldap-1.12.2-58.el7_1.6.x86_64 > sssd-common-pac-1.12.2-58.el7_1.6.x86_64 > sssd-proxy-1.12.2-58.el7_1.6.x86_64 > sssd-client-1.1
Re: [Freeipa-users] UPN suffixes in AD trust
On 06/29/2015 03:11 PM, Sumit Bose wrote: > On Mon, Jun 29, 2015 at 11:24:00AM +0200, Giorgio Biacchi wrote: >> On 06/29/2015 10:30 AM, Sumit Bose wrote: >>> On Mon, Jun 29, 2015 at 10:04:04AM +0200, Giorgio Biacchi wrote: On 06/26/2015 08:06 PM, Sumit Bose wrote: > On Fri, Jun 26, 2015 at 04:34:05PM +0200, Giorgio Biacchi wrote: >> >> >> On 06/26/2015 02:38 PM, Sumit Bose wrote: >>> On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote: On 06/25/2015 05:44 PM, Sumit Bose wrote: > On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote: >> On 06/25/2015 02:10 PM, Sumit Bose wrote: >>> On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: On 06/25/2015 12:56 PM, Sumit Bose wrote: > On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: >> On 06/24/2015 06:45 PM, Sumit Bose wrote: >>> On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: Hi everybody, I established a bidirectional trust between an IPA server (version 4.1.0 on CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), mydomain.local. Everything is working fine, and I'm able to authenticate and logon on a linux host joined to IPA server using AD credentials (username@mydomain.local). But active directory is configured with two more UPN suffixes (otherdomain.com and sub.otherdomain.com), and I cannot logon with credentials using alternative UPN (example: john@otherdomain.com). How can I make this possible? Another trust (ipa trust-add) with the same AD? Manual configuration of krb5 and/or sssd? >>> >>> Have you tried to login to an IPA client or the server? Please >>> try with >>> an IPA server first. If this does not work it would be nice if >>> you can >>> send the SSSD log files from the IPA server which are generated >>> during >>> the logon attempt. Please call 'sss_cache -E' before to >>> invalidate all >>> cached entries so that the logs will contain all needed calls >>> to AD. >>> >>> Using UPN suffixes were added to the AD provider some time ago >>> and the >>> code is available in the IPA provider as well, but I guess no >>> one has >>> actually tried this before. >>> >>> bye, >>> Sumit >> >> First of all let me say that i feel like I'm missing some config >> somewhere.. >> Changes tried in krb5.conf to support UPN suffixes didn't helped. >> I can only access the server vi ssh so I've attached the logs >> for a successful >> login for account1@mydomain.local and an unsuccessful login for >> accou...@otherdomain.com done via ssh. >> >> Bye and thanks for your help >> > > It looks like the request is not properly propagated to > sub-domains (the > trusted AD domain) but only send to the IPA domain. > > Would it be possible for you to run a test build of SSSD which > might fix > this? If yes, which version of SSSD are you currently using? Then > I can > prepare a test build with the patch on top of this version. > > bye, > Sumit > Hi, I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm available for any test. Here's the packages version for sssd: sssd-common-1.12.2-58.el7_1.6.x86_64 sssd-krb5-1.12.2-58.el7_1.6.x86_64 python-sssdconfig-1.12.2-58.el7_1.6.noarch sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 sssd-ipa-1.12.2-58.el7_1.6.x86_64 sssd-1.12.2-58.el7_1.6.x86_64 sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 sssd-ad-1.12.2-58.el7_1.6.x86_64 sssd-ldap-1.12.2-58.el7_1.6.x86_64 sssd-common-pac-1.12.2-58.el7_1.6.x86_64 sssd-proxy-1.12.2-58.el7_1.6.x86_64 sssd-client-1.12.2-58.el7_1.6.x86_64 >>> >>> Please try the packages at >>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 . >>> >>> bye, >>> Sumit >> >> Hi, >> I've installed the new RPMs, now if I run on the server: >> >
[Freeipa-users] CANT LOGIN INTO centos 6.6 2.6.32-504.23.4.el6.i686
I have the following configuration below and im able to login via SSH into a 32 bit server. With the same username im able to login on other servers [root@alvin ~]# cat /etc/sssd/sssd.conf [domain/xx.co.zw] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = xx.co.zw id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = alvin.ai.co.zw chpass_provider = ipa ipa_server = _srv_, .ai.co.zw ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = xx.co.zw [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] [root@alvin ~]# -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Migrating from custom auth system
Hello. I was trying Freeipa as an addition and (maybe) future replacement for the current SSO solution (custom and only for web apps). I was able to authenticate (via pam_exec) LDAP users on the legacy system. My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP users not created by IPA. I enabled migration mode in Freeipa, so that authenticated users should get Kerberos hash created upon first login, but I don't know how to make users login without creating them in advance. Is there a (suggested) way to let users authenticate via Kerberos and create users authenticated by PAM upon first login? My workaround is to create user in the pam_exec-uted script, but I don't think this is a clean way of doing it, and I have to use LDAP as first login method. Thank you in advance for any link, suggestion or solution. Nicola -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] sendmail.schema
Hi, we are dealing with a huge number of mail aliases which are not purely user aliases but distribution-lists, actions on distribution-list and so on (mailman). There was a former sendmail.schema in fedora-ds (we are using fds 21 at the moment), which is gone (at least I didn’t find it). Is there now a different approach for freeipa to deal with this problem. Regards, Rudi Gabler signature.asc Description: Message signed with OpenPGP using GPGMail -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project